Cybersecurity researchers have discovered a “lightweight method” called Shut down Reliably identifies signs of spyware on Apple iOS devices, including notorious threats such as NSO Group’s Pegasus, QuaDream’s Reign and Intellexa’s Predator.
Kaspersky analyzed a group of iPhones compromised by Pegasus and said the infection left traces in a file called “Shutdown.log,” a text-based system log file available on all iOS devices. Each restart event and its environmental characteristics are logged.
“Retrieving the Shutdown.log file is fairly simple compared to more time-consuming acquisition methods such as forensic device imaging or full iOS backups,” said security researcher Maher Yamout. “The log files are stored in sysdiagnose (sysdiag) archives.”
The Russian cybersecurity firm said it discovered entries in log files documenting instances where “sticky” processes, such as those related to spyware, caused restart delays, in some cases More than four restart delay notifications were observed for processes related to Pegasus.
What’s more, the investigation found that all three spyware families use similar file system paths – “/private/var/db/” for Pegasus and Reign, and “/private/var/tmp/” for Predator – thus acting as compromises index of.
That said, the success of this approach depends on the target rebooting their device as frequently as possible, with the frequency varying based on their threat profile.
Kaspersky has also released a series of Python scripts to extract, analyze and parse Shutdown.log to extract restart statistics.
“The lightweight nature of this method makes it easy to use and access,” Yamut said. “Additionally, the log archive can store entries for several years, making it a valuable forensic artifact for analyzing and identifying anomalous log entries.”
The revelation comes as SentinelOne revealed that information-stealing programs targeting macOS such as KeySteal, Atomic and JaskaGo (aka CherryPie or Gary Stealer) are rapidly adapting to circumvent Apple’s built-in antivirus technology called XProtect.
“Despite Apple’s efforts to update its XProtect signature database, these rapidly evolving malware strains continue to evade,” said security researcher Phil Stokes. “Relying on signature-based detection alone is not enough. Yes, because threat actors have the means and motivation to adapt quickly.”
