New iShutdown method reveals hidden spyware like Pegasus on your iPhone

Pegasus on Your iPhone

Cybersecurity researchers have identified a “lightweight method” called iExit to reliably identify signs of spyware on Apple iOS devices, including notorious threats such as NSO Group’s Pegasus, QuaDream’s Reign, and Intellexa’s Predator.

Kaspersky, which analyzed a series of iPhones hacked by Pegasus, said the infections left traces in a file called ‘Shutdown.log’, a text-based system log available on all iOS devices that logs each restart event in addition to its environment registers. characteristics.

“Compared to time-consuming acquisition methods such as forensic device imaging or a full iOS backup, retrieving the Shutdown.log file is quite simple,” says security researcher Maher Yamout said. “The log file is stored in a sysdiag (sysdiag) archive.”

The Russian cybersecurity company said it had identified entries in the log file that recorded instances where “sticky” processes, such as those associated with the spyware, caused a restart delay, with in some cases Pegasus-related processes observed in more than four restart delays.

In addition, the study revealed the presence of a similar file system path used by all three spyware families – “/private/var/db/” for Pegasus and Reign, and “/private/var/tmp/” for Predator – thus acting as an indicator of compromise.


That said, the success of this approach depends on the target user rebooting their device as often as possible, the frequency of which varies depending on their threat profile.

Kaspersky did that too published a collection of Python scripts to extract, analyze and parse Shutdown.log to extract the reboot statistics.

“The lightweight nature of this method makes it easily available and accessible,” Yamout said. “Additionally, this log file can retain data for several years, making it a valuable forensic artifact for analyzing and identifying anomalous log data.”

The revelation comes as SentinelOne exposed information stealers targeting macOS, such as KeyStealAtomic and JaskaGo (aka CherryPie or Gary Stealer) are quickly adapting to Apple’s built-in antivirus technology called XProtect.

“Despite Apple’s robust efforts to update the XProtect signature database, these rapidly evolving malware strains continue to elude,” said security researcher Phil Stokes. said. “Relying solely on signature-based detection is insufficient because threat actors have the means and motive to adapt quickly.”


#iShutdown #method #reveals #hidden #spyware #Pegasus #iPhone

Notify of
Inline Feedbacks
View all comments
Previous Post
Crypto-Siphoning Phemedrone Stealer

Hackers Weaponize Windows Bug to Deploy Crypto-Siphoning Phemedrone Stealer

Next Post
AndroxGh0st Botnet

Feds Warn of AndroxGh0st Botnet Targeting AWS, Azure, and Office 365 Credentials

Related Posts