Cybersecurity researchers have identified a “light method” called iShutdown to reliably identify signs of spyware on Apple iOS devices, including fairly well-known threats in the cybersecurity world such as Pegasus of the group NSOReign by QuaDream and Predator of Intellexa.
How the iPhone method called iShutdown works
Kaspersky, which analyzed a set of iPhones compromised by Pegasus, said that the infections leave traces in a file called “Shutdown.log” (hence the name iShutdown), a text-based system log file available on all iOS devices and which records every reboot event along with its environmental characteristics.
“Compared to more time-consuming acquisition methods such as forensic device imaging or a full iOS backup, Shutdown.log file recovery is pretty simple“, has said security researcher Maher Yamout. “The log file is stored in a sysdiagnose archive (sysdiag).”
The cybersecurity company of the Russian Confederation claimed to have identified entries in the log file recording instances where “sticky” processessuch as those associated with spyware, caused a reboot delay, in some cases observing Pegasus-related processes in more than four reboot delay warnings.
Additionally, the investigation revealed the presence of a file system path similar used by all three spyware families – “/private/var/db/” for Pegasus and Reign and “/private/var/tmp/” for Predator – thus acting as an indicator of compromise.
That said, the success of this approach depends on one condition: that the user, as the target themselves, reboots their device as often as possible, the frequency of which varies based on their threat profile.
Kaspersky also has published a collection of Python scripts to extract, parse, and parse the Shutdown.log file in order to obtain reboot statistics.
“The lightweight nature of this method makes it easily available and accessible“Yamout said. “Furthermore, This log file can retain entries for several yearsmaking it a valuable forensic artifact for analyzing and identifying anomalous registry entries.”
The disclosure comes as SentinelOne revealed that information thefts targeted macOS, such as KeySteal, Atomic and JaskaGo (also known as “CherryPie” or “Gary Stealer”), they are quickly adapting to evade Apple's built-in antivirus technology called XProtect.
“Despite solid efforts by Apple to update its XProtect signature database, these rapidly evolving malware variants continue to evade“, has said security researcher Phil Stokes. “Relying solely on signature-based detection is insufficient, as cybercriminals have the means and the motive to adapt quickly.”
In case the damage has already been done
In normal cases I would have written “uses Malwarebytes and detects it for sure“, it's a shame that (at least officially) Malwarebytes is not available in Italy on the Apple Store; the only thing to do in this case is to look for some Antivirus alternative valid for iPhone/iPad; this regardless of the iShutdown method, however, because one thing, by force of circumstances, does not exclude another.
#iShutdown #Method #iPhone #Detect #Spyware
