© IE Online Media Services Pvt Ltd
Tags:
Journalism of Courage
A new method for detecting sophisticated iOS spyware has been developed by researchers at Kaspersky. The Russian cybersecurity firm revealed that they have created a lightweight technique to identify infections from advanced iOS malware such as Pegasus, Predator and Reign.
Kaspersky’s Global Research and Analysis Team (GReAT) found that by analysing the Shutdown.log file in an iOS device’s sysdiagnose archive, traces of infections can be detected. The Shutdown.log retains information from every device reboot, so anomalies linked to spyware like Pegasus become visible if a compromised phone is restarted.
The researchers observed instances of “sticky” processes hindering reboots that were associated with Pegasus infections. These and other traces were identified by drawing on observations from the wider cybersecurity community about the behaviour of the notorious spyware.
According to Kaspersky, inspecting the Shutdown.log is a minimally intrusive way to spot potential iPhone infections. When paired with more comprehensive forensic analysis using tools like Mobile Verification Toolkit (MVT), the log can provide reliable evidence of iOS malware.
The malware analysts found that Pegasus infections consistently involve the path “/private/var/db/”, which is also seen in other iOS threats like Reign and Predator. This suggests the Shutdown.log could help uncover infections beyond just Pegasus.
“The sysdiag dump analysis proves to be minimally intrusive and resource-light, relying on system-based artefacts to identify potential iPhone infections. Having received the infection indicator in this log and confirmed the infection using Mobile Verification Toolkit (MVT’s) processing of other iOS artefacts, this log now becomes part of a holistic approach to investigating iOS malware infection. Since we confirmed the consistency of this behaviour with the other Pegasus infections we analysed, we believe it will serve as a reliable forensic artefact to support infection analysis,” comments Maher Yamout, Lead Security Researcher at Kaspersky’s GReAT.
To simplify spyware detection for users, Kaspersky developed an open-source self-check tool that extracts, parses and analyses the Shutdown.log artefact. You can find this on GitHub at KasperskyLab/iShutdown. The Python scripts work on macOS, Windows and Linux systems.
While advanced iOS malware like Pegasus is highly sophisticated, users can still take protective steps recommended by Kaspersky:
– Reboot devices daily to clear any non-persistent infections
– Enable iOS 16’s Lockdown Mode to block known attack vectors
– Disable iMessage and FaceTime to reduce exploit surface
– Rapidly install the latest iOS updates to stay ahead of hackers
– Avoid clicking on suspicious links in messages and emails
– Regularly scan device backups and logs using security tools
By integrating practices like these into their mobile routine, Apple device owners can fortify defences against spyware and lessen the chances of a successful attack.
