Cybersecurity researchers have introduced a lightweight method called iShutdown for detecting spyware on Apple iOS devices, including notorious threats like Pegasus, Reign, and Predator. The technique involves analyzing a file named “Shutdown.log” on compromised iPhones, which records reboot events and their characteristics. Kaspersky found traces of spyware-related processes causing reboot delays, providing a straightforward approach to identify spyware. The log file, stored in a sysdiagnose (sysdiag) archive, offers a valuable forensic artifact for analyzing and identifying anomalous entries over several years.
The investigation revealed specific entries in the log file that recorded instances where “sticky” processes associated with spyware caused reboot delays. Some cases showed Pegasus-related processes in over four reboot delay notices. Additionally, the study found a common filesystem path used by all three spyware families – “/private/var/db/” for Pegasus and Reign, and “/private/var/tmp/” for Predator – acting as an indicator of compromise. However, the effectiveness of this method relies on the target user rebooting their device frequently, with the frequency varying based on their threat profile.
Kaspersky has published a collection of Python scripts to extract, analyze, and parse the Shutdown.log, making the lightweight nature of this method readily available and accessible. Security researcher Maher Yamout emphasized the log file’s capability to store entries for several years, making it a valuable forensic tool for identifying anomalous log entries. This revelation comes in conjunction with SentinelOne’s disclosure about information stealers targeting macOS, such as KeySteal, Atomic, and JaskaGo, adapting quickly to evade Apple’s built-in antivirus technology, XProtect. The ongoing evolution of malware strains underscores the need for adaptive cybersecurity measures beyond signature-based detection.
