Researchers at Kaspersky have developed a new method to detect infections from sophisticated iOS spyware and released a lightweight tool for iOS users to protect their devices.
The tool, iShutdown, is capable of identifying signs of spyware on iOS from at least 3 hard-to-detect spyware families, including Pegasus, Intellexa’s Predator, and QuaDream’s Reign.
Kaspersky’s Global Research and Analysis Team (GReAT) discovered that these infections leave traces in an often-overlooked system file called Shutdown.log, located in the sysdiagnose archive of iOS devices that records details every time the iOS device is restarted. When an iOS device infected with Pegasus malware is rebooted, researchers explain that the file records anomalies that are indicative of a spyware presence.
Among these anomalies, the team identified “sticky” processes that disrupt the normal reboot process, a characteristic often linked to Pegasus. They also found traces of infections by comparing their findings with known behaviors of spyware reported by the cybersecurity community.
Furthermore, in their analysis of Shutdown.log files from devices infected with Pegasus, the team noticed a recurring pattern in the file path “/private/var/db/,” which is similar to those found in infections by other iOS malware, like Reign and Predator.
“The sysdiag dump analysis proves to be minimally intrusive and resource-light, relying on system-based artifacts to identify potential iPhone infections. Having received the infection indicator in this log and confirmed the infection using Mobile Verification Toolkit (MVT’s) processing of other iOS artifacts, this log now becomes part of a holistic approach to investigating iOS malware infection,” said Lead Security Researcher at Kaspersky’s Global Research and Analysis Team Maher Yamout.
Based on these observations, Kaspersky’s researchers suggest that the Shutdown.log file could be a key resource in identifying devices infected with these types of malware.
“Since we confirmed the consistency of this behavior with the other Pegasus infections we analyzed, we believe it will serve as a reliable forensic artifact to support infection analysis,” Yamout added.