iShutdown: A Lightweight Method Unveils Spyware Traces on iOS Devices

Cybersecurity researchers have unveiled a new “lightweight method” named iShutdown, designed to effectively detect signs of spyware on Apple iOS devices. This method is particularly capable of identifying notorious threats such as NSO Group’s Pegasus, QuaDream’s Reign, and Intellexa’s Predator.

The analysis, conducted by Kaspersky on compromised iPhones targeted by Pegasus, revealed a significant discovery. Traces of the infection were found in a file named “Shutdown.log,” a text-based system log file present on all iOS devices. This file records each reboot event along with its environmental characteristics, providing a more efficient and less time-consuming alternative to traditional acquisition methods like forensic device imaging.

iShutdown: A Lightweight Method Unveils Spyware Traces on iOS Devices

Security researcher Maher Yamout emphasized the simplicity of retrieving the Shutdown.log file compared to other methods, as it is stored in a sysdiagnose (sysdiag) archive. Entries in this log file highlighted instances where “sticky” processes, associated with spyware like Pegasus, caused reboot delays. Notably, the investigation identified Pegasus-related processes in over four reboot delay notices.

Further scrutiny unveiled a common filesystem path used by all three spyware families – “/private/var/db/” for Pegasus and Reign, and “/private/var/tmp/” for Predator. This shared indicator of compromise adds another layer of reliability to the iShutdown method.

However, the success of iShutdown relies on the target user’s willingness to reboot their device regularly, with the frequency varying based on their threat profile. Kaspersky has generously shared a collection of Python scripts to extract, analyze, and parse the Shutdown.log, streamlining the process of extracting reboot statistics.

Maher Yamout emphasized the lightweight nature of iShutdown, making it readily accessible. Additionally, the log file’s ability to store entries for several years enhances its value as a forensic artefact for identifying anomalous log entries.

This revelation aligns with SentinelOne’s recent disclosure about information stealers targeting macOS, including KeySteal, Atomic, and JaskaGo. These malware strains are adapting swiftly to evade Apple’s built-in antivirus technology, XProtect. It underscores the need for more advanced detection methods beyond traditional signature-based approaches. Security researcher Phil Stokes warned that relying solely on signature-based detection is insufficient, given threat actors’ ability to adapt rapidly. As the landscape of cyber threats evolves, innovative and efficient detection methods like iShutdown become increasingly crucial for safeguarding Apple iOS devices.

See Also: Malware Alert: Google Accounts at Risk from Sophisticated Cyber Threat