Researchers Develop New Method to Detect Pegasus Spyware on iPhones
Experts from Kaspersky Lab have introduced a new method for detecting indicators of infection on iOS devices by advanced spyware, including Pegasus, Reign, and Predator. The researchers revealed that they managed to identify new signs of Pegasus infection in the system log called Shutdown.log, which is stored in the system diagnostics archive of any iOS mobile device. This archive contains information about every reboot session. This means that anomalies associated with Pegasus malware appear in the log if the owner of an infected device regularly restarts it.
Among the anomalies discovered were records of frozen processes that interfere with rebooting (linked to Pegasus), as well as other traces of infection identified by other members of the cybersecurity community.
βThe analysis tool allows you to examine system artifacts and detect potential iPhone infections with minimal effort and almost no resource consumption. Infections detected using our method, based on log indicator analysis, were confirmed by processing other iOS artifacts with the Mobile Verification Toolkit (MVT). Accordingly, our approach becomes part of a comprehensive strategy for investigating iOS infections. Moreover, we confirmed the consistency of this behavior in other Pegasus infections we analyzed, and we believe this will serve as a reliable artifact for further study of the infection process,β commented Igor Kuznetsov, Head of the Global Research and Analysis Team at Kaspersky Lab.
Shutdown.log Reveals Infection Paths
By analyzing Shutdown.log in Pegasus incidents, experts discovered standard infection paths, specifically /private/var/db/, similar to those found in iOS infections by other malware, including Reign and Predator. The companyβs specialists suggest that this log file can also help identify infections related to these other malware families.
Tools for Detecting Spyware
To make it easier to search for spyware, the experts have developed and published a special utility on GitHub that simplifies the detection, analysis, and parsing of Shutdown.log artifacts.