Pierluigi Paganini
January 18, 2024
Cybersecurity researchers from Kaspersky have identified a “lightweight method,” called iShutdown, to identify the presence of spyware on Apple iOS devices. The method allow to discover stealthy and poweful surveillance software like NSO Group‘s Pegasus, Intellexa‘s Predator, QuaDream‘s Reign.
The researchers focused on an unexpected system log, Shutdown.log, which is present in any mobile iOS device. The analysis revealed that the infections left traces in the Shutdown.log, which is a text-based log file. The iOS devices log any reboot event in this file along with multiple environment information.
The experts noticed some log entry notes related to processes that prevented a normal reboot.
“When a user initiates a reboot, the operating system attempts to gracefully terminate running processes before rebooting. If a “client” process is still running when the reboot activity begins, it is logged with its process identifier (PID) and corresponding filesystem path.” reads the analysis published by Kaspersky. “The log entry notes that these processes prevented a normal reboot and that the system is waiting for them to terminate.”
The researchers pointed out that retrieving the Shutdown.log file is easy and allows for time savings compared to other forensic techniques. The log file is stored in a sysdiagnose (sysdiag) archive.
The experts identified entries in the Shutdown.log file that logged instances where “sticky” processes, such as those associated with the spyware, were delaying the reboot.
The analysis of the infections also revealed other similarities such as the path associated with malware execution (“/private/var/db/”).
“Comparing the Shutdown.log for the Pegasus infections we analyzed and the artifacts for the Reign path above, we noticed other similarities with such infections. Malware execution originating from “/private/var/db/” seems to be consistent across all the infections we’ve seen, even if the process names are different.” continues the report. “This is also true for another mobile malware family, Predator, where a similar path, “/private/var/tmp/”, is often used.”
Kaspersky researchers have created a set of Python3 scripts that allow to automate the analysis of the Shutdown.log file. According to Kaspersky, the user needs to generate a sysdiag dump and extract the archive to the analysis machine as a prerequisite
“In conclusion, we’ve analyzed and confirmed the reliability of detecting a Pegasus malware infection using the Shutdown.log artifact stored in a sysdiag archive. The lightweight nature of this method makes it readily available and accessible. Moreover, this log file can store entries for several years, making it a valuable forensic artifact for analyzing and identifying anomalous log entries. Again, this is not a silver bullet that can detect all malware, and this method relies on the user rebooting the phone as often as possible.” concludes Kaspersky. “We’ll continue to analyze the Shutdown.log file in more detail and on different platforms. We expect to be able to create more heuristics from the entries in it.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, iShutdown)
