As we are completely revolutionizing the digital world, the online sector is also becoming vulnerable to increasing threats. Cyber attacks such as malware are a constant concern for individuals and governments. Among these threats, Pegasus spyware is particularly troublesome. Once infected, a device can be hacked, giving remote attackers access to all data and turning it into a powerful surveillance tool.
To help users protect themselves from sophisticated iOS spyware threats like Pegasus, its new variants Reign, and Predator, researchers at Kaspersky have unveiled a novel, lightweight detection method. Using an unknown forensic artifact – the shutdown.log file – Kaspersky’s Global Research and Analysis Team (GReAT) has developed a simple approach to identifying signs of compromise. Additionally, they have also created a self-check tool for users to easily assess their level of vulnerability.
Detailing the methods, Kaspersky’s experts explain that the Pegasus infection leaves traces in an unconventional system log called shutdown.log, which is located within the sysdiagnose archive of any iOS device. This archive stores data from each reboot, making it an important place to identify anomalies caused by Pegasus when an infected device restarts.
Additionally, they also observed cases of “sticky” processes that make reboots difficult, mostly from Pegasus, and other clues to the spyware that other experts found.
“The sysdiag dump analysis proves to be minimally intrusive and resource-light, relying on system-based artefacts to identify potential iPhone infections. Having received the infection indicator in this log and confirmed the infection using Mobile Verification Toolkit (MVT’s) processing of other iOS artefacts, this log now becomes part of a holistic approach to investigating iOS malware infection. Since we confirmed the consistency of this behavior with the other Pegasus infections we analyzed, we believe it will serve as a reliable forensic artefact to support infection analysis,” reveals Maher Yamout, Lead Security Researcher at Kaspersky’s GReAT.
Kaspersky experts created a tool to help users find spyware on their devices. The tool uses a Python3 script to obtain and examine the shutdown.log file. This tool is free and works on macOS, Windows, and Linux. You can find it on GitHub.
Additionally, experts point out that spyware like Pegasus is very difficult to detect and stop. But users can take protective measures to make it harder for attackers to spy on them. Kaspersky experts recommend these tips to protect your iOS device from spyware:
- Restart every day: Some research says that Pegasus uses zero-click attacks that do not remain on the device. Restarting every day can remove the spyware, and force attackers to try again, which can be ignored.
- Use Lockdown Mode: Some reports say that Apple’s Lockdown Mode can prevent iOS malware from getting in.
- Be careful of links: Do not click on links in messages, as some Pegasus users may use 1-click attacks via SMS, email or other apps.
- Check your backup and Sysdiagnose: You can use tools from MVT and Kaspersky to scan your backup and Sysdiagnose files for signs of iOS malware.
- Turn off iMessage and Facetime: iMessage and Facetime can be used by attackers to send zero-click attacks. Turning them off can reduce the risk of acquiring spyware.
- Update your device: Always install the latest iOS update, as some spyware uses old bugs that have been fixed. Updating quickly can keep you safe from some attackers using outdated spyware.
