Kaspersky’s researchers have developed a lightweight method to detect indicators of infection from sophisticated iOS spyware such as NSO Group’s Pegasus, QuaDream’s Reign, and Intellexa’s Predator through analyzing a log file created on iOS devices.
Analyzing the Shutdown.log
The company’s experts discovered Pegasus infections leave traces in the unexpected system log, Shutdown.log, stored within any mobile iOS device’s sysdiagnose archive. This archive retains information from each reboot session, meaning anomalies associated with the Pegasus malware become apparent in the log if an infected user reboots their device.
Among those identified were instances of “sticky” processes impeding reboots, particularly those linked to Pegasus, along with infection traces discovered through cybersecurity community observations.
“The sysdiag dump analysis proves to be minimally intrusive and resource-light, relying on system-based artifacts to identify potential iPhone infections. Having received the infection indicator in this log and confirmed the infection using Mobile Verification Toolkit (MVT’s) processing of other iOS artifacts, this log now becomes part of a holistic approach to investigating iOS malware infection,” said Maher Yamout, Lead Security Researcher at Kaspersky’s Global Research and Analysis Team (GReAT).
“Since we confirmed the consistency of this behavior with the other Pegasus infections we analyzed, we believe it will serve as a reliable forensic artifact to support infection analysis.”
Analyzing the Shutdown.log in Pegasus infections, Kaspersky experts observed a common infection path, specifically “/private/var/db/”, mirroring paths seen in infections caused by other iOS malware like Reign and Predator. The company’s researchers suggest this log file holds potential for identifying infections related to these malware families.
To ease the search for spyware infections, Kaspersky experts developed a self-check utility for users. The Python3 scripts facilitate the extraction, analysis, and parsing of the Shutdown.log artifact. The tool is publicly shared on GitHub and available for macOS, Windows and Linux.
Preventing an iOS spyware infection
iOS spyware, such as Pegasus, is highly sophisticated. While the cyber community may not always prevent successful exploitation, users can take steps to make it challenging for attackers.
To safeguard against advanced spyware on iOS, Kaspersky experts recommend the following:
- Reboot daily: According to research from Amnesty International and Citizen Lab, Pegasus often relies on zero-click 0-days with no persistence. Regular daily reboots can help clean the device, making it necessary for attackers to repeatedly reinfect, thereby increasing the chances of detection over time.
- Lockdown Mode: There has been several public reports on the success of Apple’s newly added lockdown mode in blocking iOS malware infection.
- Disable iMessage and Facetime: iMessage, enabled by default, is an attractive exploitation vector. Disabling it reduces the risk of falling victim to zero-click chains. The same advice applies to Facetime, another potential vector for exploitation.
- Keep device updated: Install the latest iOS patches promptly, as many iOS exploit kits target already patched vulnerabilities. Swift updates are crucial for staying ahead of some nation-state attackers who may exploit delayed updates.
- Exercise caution with links: Avoid clicking on links received in messages, as Pegasus customers may resort to 1-click exploits delivered through SMS, other messengers, or email.
- Check backups and sysdiags regularly: Processing encrypted backups and Sysdiagnose archives using MVT and Kaspersky’s tools can help detect iOS malware.
By incorporating these practices into their routine, users can fortify their defenses against advanced iOS spyware and reduce the risk of successful attacks.