Kaspersky Introduces Tool That Detects Pegasus Spyware on iOS

Penka Hristovska
Penka Hristovska Senior Editor
Penka Hristovska Penka Hristovska Senior Editor

Researchers at Kaspersky have developed a new method to detect infections from sophisticated iOS spyware and released a lightweight tool for iOS users to protect their devices.

The tool, iShutdown, is capable of identifying signs of spyware on iOS from at least 3 hard-to-detect spyware families, including Pegasus, Intellexa’s Predator, and QuaDream’s Reign.

Kaspersky’s Global Research and Analysis Team (GReAT) discovered that these infections leave traces in an often-overlooked system file called Shutdown.log, located in the sysdiagnose archive of iOS devices that records details every time the iOS device is restarted. When an iOS device infected with Pegasus malware is rebooted, researchers explain that the file records anomalies that are indicative of a spyware presence.

Among these anomalies, the team identified “sticky” processes that disrupt the normal reboot process, a characteristic often linked to Pegasus. They also found traces of infections by comparing their findings with known behaviors of spyware reported by the cybersecurity community.

Furthermore, in their analysis of Shutdown.log files from devices infected with Pegasus, the team noticed a recurring pattern in the file path “/private/var/db/,” which is similar to those found in infections by other iOS malware, like Reign and Predator.

“The sysdiag dump analysis proves to be minimally intrusive and resource-light, relying on system-based artifacts to identify potential iPhone infections. Having received the infection indicator in this log and confirmed the infection using Mobile Verification Toolkit (MVT’s) processing of other iOS artifacts, this log now becomes part of a holistic approach to investigating iOS malware infection,” said Lead Security Researcher at Kaspersky’s Global Research and Analysis Team Maher Yamout.

Based on these observations, Kaspersky’s researchers suggest that the Shutdown.log file could be a key resource in identifying devices infected with these types of malware.

“Since we confirmed the consistency of this behavior with the other Pegasus infections we analyzed, we believe it will serve as a reliable forensic artifact to support infection analysis,” Yamout added.

About the Author
Penka Hristovska
Penka Hristovska
Senior Editor

About the Author

Penka Hristovska is an editor at SafetyDetectives. She was an editor at several review sites that covered all things technology — including VPNs and password managers — and had previously written on various topics, from online security and gaming to computer hardware. She’s highly interested in the latest developments in the cybersecurity space and enjoys learning about new trends in the tech sector. When she’s not in “research mode,” she’s probably re-watching Lord of The Rings or playing DOTA 2 with her friends.

Leave a Comment