Researchers at Kaspersky’s Global Research and Analysis Team (GReAT) have developed and released a lightweight method to help Apple iPhone users at risk of being targeted by the Pegasus spyware detect its presence on their devices.
The Apple ecosystem has been heavily targeted by spyware developers in the past due to its widespread popularity. Pegasus, developed by disgraced Israeli developer NSO and sold to governments that used it to spy on activists, dissidents, journalists and political opponents, is arguably the most widely known of such tools. However, others do exist, such as Predator, which originated at a European company called Cytrox, and Reign, which is thought to have been used by both the NSA and GCHQ.
Kaspersky claims its new tool reveals the presence of Pegasus through analysing a previously unexplored forensic artefact called Shutdown.log. Shutdown.log is an unexpected system log stored within an iOS device’s sysdiagnose archive, which retains information from each reboot session. As a result, the GReAT team found that anomalies linked to Pegasus become apparent if an infected user reboots the device.
Among the traces found were instances of sticky processes that impeded reboots, and infection traces previously observed by other cyber researchers.
The team also observed a common infection path that mirrored those seen in Predator and Reign infections, which would suggest the methodology also holds potential for identifying those infections.
“The sysdiag dump analysis proves to be minimally intrusive and resource-light, relying on system-based artefacts to identify potential iPhone infections. Having received the infection indicator in this log and confirmed the infection using Mobile Verification Toolkit (MVT) processing of other iOS artefacts, this log now becomes part of a holistic approach to investigating iOS malware infection,” said Kaspersky GReAT lead security researcher Maher Yamout.
“Since we confirmed the consistency of this behaviour with the other Pegasus infections we analysed, we believe it will serve as a reliable forensic artefact to support infection analysis.”
Kaspersky’s new self-assessment tool is a Python3 script that extracts, analyses and parses the Shutdown.log artefact. It has been made available for public use on GitHub, and can also be used on devices running macOS, Windows and Linux.
Besides taking advantage of its new tool, Kaspersky also advised users who believe they may be at risk of orchestrated attempts to spy on them through their devices to take a number of additional steps.
These include rebooting devices daily, as many of the zero-day exploits Pegasus has historically used do not enable persistence if rebooted; turning on Apple’s onboard Lockdown Mode; disabling iMessage and Facetime, which are both heavily used as an exploitation vector; patching devices quickly whenever Apple releases new security updates; being cautious about their online behaviour – avoiding clicking on links received in messages, for example; and checking backups and sysdiags regularly.
Kaspersky was itself targeted by a zero-click iOS spyware dubbed Triangulation, which was delivered from 2019 onwards via two chained zero days in the operating system. This malware is particularly sophisticated, especially when it comes to some of the methodologies it deploys to obfuscate its attack chain and presence.
The origins of Triangulation are unknown, but given Kaspersky’s Russian heritage, its disclosures were subsequently used by the Kremlin’s FSB security agency to accuse Apple of colluding with the US intelligence services to snoop on the cyber firm. Apple has strenuously denied this, saying it would never work with any government to insert a backdoor in its products.