Researchers with cybersecurity firm Kaspersky are detailing a lightweight method for detecting the presence of spyware, including The NSO Group’s notorious Pegasus software, in Apple iOS devices.

The new method, which calls for looking for traces of spyware in a log file called Shutdown.log on the devices, gives users and cybersecurity professionals an easier and faster way for finding indications of infection of the devices by such spyware as NSO’s Pegasus, QuaDream’s Reign, and Intellexa’s Predator.

“The lightweight nature of this method makes it readily available and accessible,” Kaspersky Senior Security Researcher Maher Yamout wrote in a report this week. “Moreover, this log file can store entries for several years, making it a valuable forensic artifact for analyzing and identifying anomalous log entries. Again, this is not a silver bullet that can detect all malware, and this method relies on the user rebooting the phone as often as possible.”

The Scourge of Spyware

Pegasus, developed by the Israel-based NSO Group, has been the poster child for spyware, which can be secretly and remotely installed on phones running iOS and Android operating systems and collects a broad range of data from those devices and send it back to the spyware users. NSO and similar vendors have argued that law enforcement agencies, governments, and other organizations can use such spyware to fight terrorism and crime.

However, it’s also been used by governments to spy on political dissidents, academics, human rights activists, journalists, and lawyers. In 2022, such groups as CitizenLab and Digital Reach found that the phones of about 30 people in Thailand were infected with Pegasus, allowing the spyware’s users to track those them.

Similar cases relating to Reign and Predator, including some last year uncovered by Amnesty International that spanned the United States, European Union, and Asia in which Predator was used to target – among others – U.S. politicians, United Nations officials, and the presidents of the European Parliament and Taiwan.

“Yet again, we have evidence of powerful surveillance tools being used in brazen attacks,” Agnes Callamard, secretary general at Amnesty International, said in a statement last year. “The targets this time around are journalists in exile, public figures and intergovernmental officials. But let’s make no mistake: the victims are all of us, our societies, good governance and everyone’s human rights.”

In March 2023, the Biden Administration issued an Executive Order banning the U.S. government from using commercial spyware.

Look to Shutdown.log

According to Kaspersky’s Yamout, typical ways to investigate spyware cases on iOS devices were complex, costly, and time-consuming and involved either examining an encrypted full iOS backup or analyzing the network on a device. Because of this, threats often go undetected by the device users.

However, an examination of several iPhones in 2021 and 2022, Kaspersky researchers that Pegasus left traces of infections in the Shutdown.log, a text-based system log file available on all mobile iOS devices. Each time a user reboots their device, it logged into the file.

During a reboot, the OS tries to end running processes before rebooting. That said, if a process continues to run and prevents a normal reboot, it is logged with such information as its process identifier (PID) and filesystem path. Pegasus infection had a common infection path — /private/var/db/ — found in the Shutdown.log, which is stored in the sysdiag (sysdiagnose) archive.

Sysdiag is a collection of system logs and databases that can be used for debugging and troubleshooting purposes and can be found in the iOS general settings under “Privacy and Analytics,” he wrote.

An analysis by CitizenLab of Reign found a similar filesystem path for that spyware – private/var/db/ – and further research found a filesystem path for Predator, /private/var/tmp. This uncovered an indicator of compromise for all three spyware products.

“Since all three malware families were using a similar filesystem path, and since we confirmed from the Pegasus infection analysis that such a path can be seen in Shutdown.log, we believe that this log file may be able to help identify infections by these malware families,” Yamout wrote.

Reboot, Reboot, Reboot

However, the added that there is a significant caveat – the device’s user needs to reboot as often as possible.

“How often, you may ask? Well, it depends!” he wrote. “It depends on the user’s threat profile; every few hours, every day, or perhaps around ‘important events’; we’ll leave this as an open-ended question.”

Checking the Shutdown.log for these filesystem paths is easier and faster than other methods. To make it even more so, Kaspersky created some Python3 scripts to automate the extracting, analyzing, and parsing of Shutdown.log, which can happen after the user generates a sysdiag dump and extracts the archive to an analysis system.

Kaspersky researchers are continuing to analyze the Shutdown.log file, including on different platforms, Yamout wrote.