New Tool Identifies Pegasus and Other iOS Spyware

Written by

Kaspersky’s Global Research and Analysis Team (GReAT) has unveiled a new, lightweight method to detect sophisticated iOS spyware, including notorious threats like Pegasus, Reign and Predator.

Writing in an advisory published today, the researchers said they focused on analyzing the previously overlooked forensic artifact, Shutdown.log, which is stored within the sysdiagnose archive of iOS devices and retains information from each reboot session. 

Anomalies associated with Pegasus became apparent during the reboot. Instances of “sticky” processes hindering reboots, particularly those linked to Pegasus, were identified. They were then corroborated by observations from the broader cybersecurity community.

Further analysis of Pegasus infections in Shutdown.log revealed a common infection path, “/private/var/db/,” resembling paths seen in infections caused by Reign and Predator. Kaspersky researchers suggested that this log file holds the potential for identifying infections related to these malware families.

“Having received the infection indicator in this log and confirmed the infection using Mobile Verification Toolkit (MVT) processing of other iOS artifacts, this log now becomes part of a holistic approach to investigating iOS malware infection,” explained Maher Yamout, lead security researcher at Kaspersky’s GReAT.

“Since we confirmed the consistency of this behavior with the other Pegasus infections we analyzed, we believe it will serve as a reliable forensic artifact to support infection analysis.”

Read more on similar malware: Predator Spyware Linked to Madagascar's Government Ahead of Presidential Election

To empower users in the fight against iOS spyware, Kaspersky experts have also developed a self-check utility shared on GitHub. This Python3 script facilitates the extraction, analysis and parsing of the Shutdown.log artifact, catering to macOS, Windows and Linux users.

More generally, and in light of the increasing sophistication of iOS spyware, Kaspersky recommended several measures to safeguard against potential attacks. 

These include daily reboots to disrupt potential infections, utilizing Apple’s lockdown mode and disabling iMessage and FaceTime. Also, to update iOS promptly to install the latest patches, exercise caution with links and regularly check backups and sys diagnose archives.

What’s hot on Infosecurity Magazine?