Kaspersky’s iShutdown Tool Detects Pegasus Spyware on iOS Devices

Kaspersky has recently launched a tool called iShutdown, designed not only to detect the notorious Pegasus spyware but also to identify other malware threats on iOS devices.

The iShutdown tool has been launched a few weeks after Kaspersky cybersecurity researchers revealed significant insights into Operation Triangulation. This investigation delves into how spyware threats compromise iPhones.

Kaspersky’s Global Research and Analysis Team (GReAT) has introduced a new tool that lets users detect Pegasus, a popular iOS spyware known for targeting journalists and activists. This lightweight method called iShutdown will identify signs of spyware on Apple iOS devices, including three prominent spyware families Pegasus, QuaDream’s Reign, and Intellexa’s Predator.

The iShutdown tool is now available to the public, seven months after Kaspersky Labs initially reported the hacking of its employees’ iPhones, referred to as Operation Triangulation. In December 2023, the company released an update disclosing that hackers likely exploited an obscure hardware feature during spyware attacks against iPhone users.

The method was tested on a set of Pegasus-compromised iPhones. However, it must be noted that this method/tool is different from the iShutdown iOS application that allows Mac devices to shut down/sleep/restart/log out.

According to the cybersecurity firm, traces of Pegasus-related processes were discovered in a text-based system log file called “Shutdown.log” on iPhones compromised with the spyware. 

The log file is stored within the sysdiagnose archive of iOS devices. It records every reboot event with its environmental characteristics and is a generally overlooked forensic artefact. It can have entries dating back several years, providing valuable information. When a user initiates a reboot, the operating system terminates running processes, flushing memory buffers, and waiting for a normal reboot.

Its analysis revealed “sticky” processes that hinder reboots. Pegasus-related processes were found in over four reboot delay notices. These anomalies during reboot procedures allowed the tool to flag potential infections with high accuracy. Further analysis revealed a similar filesystem path used by all three spyware families, “/private/var/db/” for Pegasus and Reign, and “/private/var/tmp/” for Predator, as an indicator of compromise.

Kaspersky GReAT’s lead security researcher, Maher Yamout, has confirmed the log’s consistency with other Pegasus infections, making it a reliable forensic artefact for infection analysis. The tool offers enhanced protection to a broader user base.

“Compared to more time-consuming acquisition methods such as forensic device imaging or a full iOS backup, Shutdown.log file recovery is pretty simple,” explained Yamout.

Kaspersky has developed a Python3 utility on GitHub for macOS, Windows, and Linux users to detect spyware. The tool extracts, analyzes, and parses Shutdown.log artifacts. It simplifies detection and raises awareness, empowering users to take control of their digital security.

Kaspersky's iShutdown Tool Detects Pegasus Spyware on iOS Devices

However, Kaspersky suggests users adopt a holistic approach towards data and device security. The company recommends users perform daily reboots, use lockdown mode, disable iMessage and FaceTime, timely iOS updates, and regular check backups.

The announcement comes after SentinelOne’s report revealing that information stealers targeting macOS like KeySteal, Atomic, and JaskaGo are quickly adapting to circumvent Apple’s built-in antivirus technology called XProtect.

  1. QuaDream, Israeli iPhone hacking spyware firm, to shut down
  2. European Spyware Vendor Offering Android, iOS Device Exploits
  3. iPhone Spyware Exploits Obscure Chip Feature, Targets Researchers
  4. Apple’s iPhone Hack Attack Warnings Spark Political Firestorm in India
  5. NSO zero-click iMessage exploit hacks iPhone without need to click links
Related Posts