A team of researchers from a cybersecurity company has claimed to have found a method to detect sophisticated smartphone spyware such as Pegasus and created a tool that is said to enable users to check if there is a spying app on their devices.
Researchers from Kaspersky revealed a new lightweight method to detect spyware like Pegasus as well as new Pegasus-like threats Reign and Predator through analysing Shutdown.log, a previously unexplored forensic system.The tool is publicly shared on GitHub and available for macOS, Windows and Linux.
“The sysdiag dump analysis proves to be minimally intrusive and resource-light, relying on system-based artefacts to identify potential iPhone infections,” said Maher Yamout, lead security researcher at Kaspersky’s GReAT.
“Having received the infection indicator in this log and confirmed the infection using Mobile Verification Toolkit (MVT’s) processing of other iOS artefacts, this log now becomes part of a holistic approach to investigating iOS malware infection,” Yamout added.
The Times of India Gadgets Now awards: Cast your vote now and pick the best phones, laptops and other gadgets of 2023
https://www.gadgetsnow.com/awards/nominations
How experts spotted spyware presence
Kaspersky experts said that they discovered that Pegasus infections leave traces in the unexpected system log, Shutdown.log, which is stored in any mobile iOS device’s sysdiagnose archive — which retains information from each reboot session.
This means that anomalies associated with the Pegasus malware come to the fore in the log if an infected user reboots their device.
The anomalies identified include instances of “sticky” processes that prevent reboots, particularly those linked to Pegasus, along with infection traces discovered through cybersecurity community observations.
Kaspersky experts then analysed the Shutdown.log in Pegasus infections and observed a common infection path, which mirrored paths that were seen in infections caused by other iOS malware like Reign and Predator. The company’s researchers suggest this log file holds the potential for identifying infections related to these malware families.
“Since we confirmed the consistency of this behaviour with the other Pegasus infections we analysed, we believe it will serve as a reliable forensic artefact to support infection analysis,” Yamout added.
How to safeguard against advanced spyware on iPhones
Reboot Daily: According to research from Amnesty International and Citizen Lab, Pegasus often relies on zero-click 0-days with no persistence. Regular daily reboots can help clean the device, making it necessary for attackers to repeatedly reinfect, thereby increasing the chances of detection over time.
Lockdown Mode: Apple’s newly added lockdown mode can also block iOS malware infection.
Disable iMessage and Facetime: iMessage, enabled by default, is an attractive exploitation vector, Kaspersky said. Disabling it reduces the risk of falling victim to zero-click chains. The same advice applies to Facetime, which is said to be another potential vector for exploitation.
Keep Device Updated: Install the latest iOS patches promptly, as many iOS exploit kits target already patched vulnerabilities.
Exercise caution with links: Avoid clicking on links received in messages, as Pegasus customers may resort to 1-click exploits delivered through SMS, other messengers, or email.
Check Backups: Processing encrypted backups and Sysdiagnose archives using MVT and Kaspersky’s tools can help in detecting iOS malware.
Researchers from Kaspersky revealed a new lightweight method to detect spyware like Pegasus as well as new Pegasus-like threats Reign and Predator through analysing Shutdown.log, a previously unexplored forensic system.The tool is publicly shared on GitHub and available for macOS, Windows and Linux.
“The sysdiag dump analysis proves to be minimally intrusive and resource-light, relying on system-based artefacts to identify potential iPhone infections,” said Maher Yamout, lead security researcher at Kaspersky’s GReAT.
“Having received the infection indicator in this log and confirmed the infection using Mobile Verification Toolkit (MVT’s) processing of other iOS artefacts, this log now becomes part of a holistic approach to investigating iOS malware infection,” Yamout added.
The Times of India Gadgets Now awards: Cast your vote now and pick the best phones, laptops and other gadgets of 2023
https://www.gadgetsnow.com/awards/nominations
How experts spotted spyware presence
Kaspersky experts said that they discovered that Pegasus infections leave traces in the unexpected system log, Shutdown.log, which is stored in any mobile iOS device’s sysdiagnose archive — which retains information from each reboot session.
This means that anomalies associated with the Pegasus malware come to the fore in the log if an infected user reboots their device.
The anomalies identified include instances of “sticky” processes that prevent reboots, particularly those linked to Pegasus, along with infection traces discovered through cybersecurity community observations.
Kaspersky experts then analysed the Shutdown.log in Pegasus infections and observed a common infection path, which mirrored paths that were seen in infections caused by other iOS malware like Reign and Predator. The company’s researchers suggest this log file holds the potential for identifying infections related to these malware families.
“Since we confirmed the consistency of this behaviour with the other Pegasus infections we analysed, we believe it will serve as a reliable forensic artefact to support infection analysis,” Yamout added.
How to safeguard against advanced spyware on iPhones
Reboot Daily: According to research from Amnesty International and Citizen Lab, Pegasus often relies on zero-click 0-days with no persistence. Regular daily reboots can help clean the device, making it necessary for attackers to repeatedly reinfect, thereby increasing the chances of detection over time.
Lockdown Mode: Apple’s newly added lockdown mode can also block iOS malware infection.
Disable iMessage and Facetime: iMessage, enabled by default, is an attractive exploitation vector, Kaspersky said. Disabling it reduces the risk of falling victim to zero-click chains. The same advice applies to Facetime, which is said to be another potential vector for exploitation.
Keep Device Updated: Install the latest iOS patches promptly, as many iOS exploit kits target already patched vulnerabilities.
Exercise caution with links: Avoid clicking on links received in messages, as Pegasus customers may resort to 1-click exploits delivered through SMS, other messengers, or email.
Check Backups: Processing encrypted backups and Sysdiagnose archives using MVT and Kaspersky’s tools can help in detecting iOS malware.