Beyond Pegasus: Kaspersky Lab’s Techniques for Identifying iOS Malware

Specialists at Kaspersky Lab have shared their experience in analyzing iOS devices infected with the Pegasus spyware developed by the Israeli company NSO Group. It was found that malicious software leaves traces in the system file Shutdown.log. The method developed can help detect not only Pegasus but other malicious programs such as Reign from QuaDream and Predator from Cytrox, which use similar paths in the file system.

Shutdown.log is a textual log file created on iOS devices with each reboot. It records information about the processes running at the moment of reboot, their identifiers, and paths in the file system. If any process impedes the normal reboot, this too is noted in the log file. Kaspersky Lab experts noticed that malicious programs often launch from folders “/private/var/db/” or “/private/var/tmp/”, and these paths can be seen in Shutdown.log.

To obtain the log file, one must generate a sysdiag archive, which contains various system logs and databases. This can be done in the iOS settings, under “Settings” > “Privacy and Security” > “Analytics and Improvements.” The sysdiag archive is about 200-400 MB in size and can be transferred to a computer for analysis. After unpacking the archive, the Shutdown.log file is located in the “\system_logs.logarchive\Extra” folder.

Kaspersky Lab has created several Python3 scripts that assist in extracting and analyzing the Shutdown.log file. The scripts can detect anomalies in the log file – malicious processes launched, reboot delays, or unusual paths in the file system. They can also convert the log file into a CSV format, decode time stamps, and generate an analysis summary.

Experts emphasize that analyzing the Shutdown.log file is not a universal method for detecting all malicious software on iOS devices and that such a method depends on how often the user reboots their device. They also continue to study the log file in more detail and on different platforms, hoping to create more heuristics from its records.

It’s worth noting that the battle against malicious software by rebooting smartphones was previously mentioned by the GrapheneOS development team, who created the eponymous operating system for Android, focused on privacy and security. The specialists suggested introducing an automatic reboot feature in Android, which would complicate the exploitation of firmware vulnerabilities.