Security researchers found that infections with high-profile spyware Pegasus, Reign, and Predator could be discovered on compromised Apple mobile devices by checking Shutdown.
Kaspersky released Python scripts to help automate the process of analyzing the Shutdown.
Log file and recognize potential signs of malware infection in a way that is easy to evaluate.
Log is written when upon rebooting the device and registers the time a process needs to terminate and their identifier.
Malware that has a measurable effect on device reboot due to the process injection and manipulation it performs, leaves digital forensic artifacts that validate the compromise.
Compared to standard techniques like examining an encrypted iOS backup or network traffic, the Shutdown.
Log file provides a much easier analysis method, the researchers say.
Log file can only write data containing signs of infection if a reboot is performed after the compromise, Kaspersky recommends restarting the device infection often.
Kaspersky's GitHub repository contains instructions on how to use the Python scripts, and also example outputs.
Some familiarity with Python, iOS, terminal output, and malware indicators is required to evaluate the results properly.
Gz archives used for troubleshooting iOS and iPadOS devices, containing information about software behavior, network communications, and more.
Kaspersky initially used the method to analyze iPhones infected with Pegasus spyware and received the infection indicator in the log, which was confirmed using the MVT tool developed by Amnesty International.
The researchers note that their method fails if the user doesn't reboot the device on the day of the infection.
Another observation is that the log file registers when a reboot is delayed, such as in the case of a Pegasus-related process that prevents the procedure.
While this can happen on non-infected phones, Kaspersky researchers believe that more than four delays, which is considered excessive, are a log anomaly that should be investigated.
A similar path visible in the Shurdown log file is also often used by the Predator spyware that targeted lawmakers and journalists.
iPhone Triangulation attack abused undocumented hardware feature.
Apple fixes two new iOS zero-days in emergency updates.
Apple emergency updates fix recent zero-days on older iPhones.
SpyLoan Android malware on Google Play downloaded 12 million times.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 17 Jan 2024 18:05:23 +0000