Pegasus iOS Spyware, an advanced spyware designed to install itself on Android and iOS devices without any action from the targeted user, was discovered to leave traces in the unexpected system log, Shutdown.log, stored inside any mobile iOS device’s sysdiagnose archive.
The Pegasus spyware, was originally developed by Israeli cyber-intelligence firm NSO Group (founded in 2010) for eavesdropping on mobile phones and harvesting their data. The spyware has been found to be highly controversial in its use to track politicians, government leaders, human rights activists, dissidents, and journalists.
The NSO Group have made claims that the product is sold exclusively to government security and law enforcements agencies and only for the purpose of aiding rescue operations and battling criminals, like money launderers, sex- and drug-traffickers, and terrorists.
In 2021, the Pegasus Project—a consortium of more than 80 journalists from 17 media organizations in 10 countries, in conjunction with the Paris-based media group Forbidden Stories, with technical assistance from Amnesty International—focused global attention on the spyware and its suspected use in facilitating human rights violations around the world.
In Israel, Pegasus is classified as a weapon. Any export of the technology must first be approved by the government. In 2019 Facebook, that is now known as Meta Platforms, sued NSO Group under the United States Computer Fraud and Abuse Act. In 2021 Apple also sued the Group and President Joseph Biden blacklisted the company, deeming it illegal for U.S. firms to sell technology to NSO Group.
There are resources available online that can help anyone recognize, detect and remove this spyware effectively from any device. Norton’s informative blog provides an in depth explanation of the spyware.
Kaspersky’s Global Research and Analysis Team (GReAT) has developed a lightweight method to detect indicators of infections from sophisticated iOS spyware like Pegasus, Reign, and Predator through analysing Shutdown.log, a previously unexplored forensic artifact.
Kaspersky’s Global Research and Analysis Team (GReAT) has developed a lightweight method to detect indicators of infection from sophisticated iOS spyware such as Pegasus, Reign, and Predator through analysing Shutdown.log, a previously unexplored forensic artifact.
Upon analysis of the Shutdown.log in Pegasus infections, Kaspersky experts observed a common infection path, specifically “/private/var/db/”, mirroring paths seen in infections caused by other iOS malware like Reign and Predator. The company’s researchers suggest this log file holds potential for identifying infections related to these malware families.
Maher Yamout, Lead Security Researcher at Kaspersky’s GReAT shares his discoveries from the analysis, “The sysdiag dump analysis proves to be minimally intrusive and resource-light, relying on system-based artefacts to identify potential iPhone infections.
“Having received the infection indicator in this log and confirmed the infection using Mobile Verification Toolkit (MVT’s) processing of other iOS artefacts, this log now becomes part of a holistic approach to investigating iOS malware infection.
“Since we confirmed the consistency of this behaviour with the other Pegasus infections we analysed, we believe it will serve as a reliable forensic artefact to support infection analysis.”