A new method for detecting sophisticated iOS spyware has been developed by researchers at Kaspersky. The Russian cybersecurity firm revealed that they have created a lightweight technique to identify infections from advanced iOS malware such as Pegasus, Predator and Reign.
Kaspersky’s Global Research and Analysis Team (GReAT) found that by analysing the Shutdown.log file in an iOS device’s sysdiagnose archive, traces of infections can be detected. The Shutdown.log retains information from every device reboot, so anomalies linked to spyware like Pegasus become visible if a compromised phone is restarted.
The researchers observed instances of “sticky” processes hindering reboots that were associated with Pegasus infections. These and other traces were identified by drawing on observations from the wider cyber security community about the behaviour of the notorious spyware.
According to Kaspersky, inspecting the Shutdown.log is a minimally intrusive way to spot potential iPhone infections. When paired with more comprehensive forensic analysis using tools like Mobile Verification Toolkit (MVT), the log can provide reliable evidence of iOS malware.