Researchers with cybersecurity firm Kaspersky are detailing a lightweight method for detecting the presence of spyware, including The NSO Group's notorious Pegasus software, in Apple iOS devices.
The new method, which calls for looking for traces of spyware in a log file called Shutdown.
Log on the devices, gives users and cybersecurity professionals an easier and faster way for finding indications of infection of the devices by such spyware as NSO's Pegasus, QuaDream's Reign, and Intellexa's Predator.
Pegasus, developed by the Israel-based NSO Group, has been the poster child for spyware, which can be secretly and remotely installed on phones running iOS and Android operating systems and collects a broad range of data from those devices and send it back to the spyware users.
NSO and similar vendors have argued that law enforcement agencies, governments, and other organizations can use such spyware to fight terrorism and crime.
In 2022, such groups as CitizenLab and Digital Reach found that the phones of about 30 people in Thailand were infected with Pegasus, allowing the spyware's users to track those them.
In March 2023, the Biden Administration issued an Executive Order banning the U.S. government from using commercial spyware.
According to Kaspersky's Yamout, typical ways to investigate spyware cases on iOS devices were complex, costly, and time-consuming and involved either examining an encrypted full iOS backup or analyzing the network on a device.
Because of this, threats often go undetected by the device users.
An examination of several iPhones in 2021 and 2022, Kaspersky researchers that Pegasus left traces of infections in the Shutdown.
Log, a text-based system log file available on all mobile iOS devices.
Each time a user reboots their device, it logged into the file.
That said, if a process continues to run and prevents a normal reboot, it is logged with such information as its process identifier and filesystem path.
Pegasus infection had a common infection path - /private/var/db/ - found in the Shutdown.
An analysis by CitizenLab of Reign found a similar filesystem path for that spyware - private/var/db/ - and further research found a filesystem path for Predator, /private/var/tmp.
This uncovered an indicator of compromise for all three spyware products.
Log for these filesystem paths is easier and faster than other methods.
Log, which can happen after the user generates a sysdiag dump and extracts the archive to an analysis system.
Kaspersky researchers are continuing to analyze the Shutdown.
Log file, including on different platforms, Yamout wrote.
This Cyber News was published on securityboulevard.com. Publication date: Wed, 17 Jan 2024 16:28:03 +0000