The threats Pegasus, Reign e Predator I am spyware iOS sophisticated ones designed specifically to monitor the activities carried out by owners of Apple devices, stealing their personal data and confidential information. These harmful components have been analyzed by several sources, including Kaspersky. The use of the aforementioned spyware has become the object of attention from companies and researchers in the field of computer security, above all because they are harmful components exploited in cyber attacks high profile. The objective is in fact to target specific subjects, often politically exposed, as well as leading companies.
As highlighted in our other articles, cyber criminals who have developed threats such as Pegasus, Reign e Predator they often stay under-the-radar. This means that they use techniques to remain in the shadows after the event device infection iOS.
What is Shutdown.log log file and why does it reveal the existence of iOS spyware infections
The file Shutdown.log it’s a log file created on iOS devices within which each reboot event is noted, along with various characteristics of the environment. The file can contain information that dates back even quite far back in time and it is precisely for this reason that its contents are revealing excellent clues about what happens suspected at the system level.
Kaspersky researchers explain this by observing how the file Shutdown.log has historically been ignored when it actually holds valuable information. The company’s experts discovered that, unexpectedly, the infections caused by the spyware mentioned at the beginning they leave traces in the log of system. Thus, any anomalies associated with malware Pegasus, Reign e Predator they become evident in the “log” when the user restarts an infected device.
In the register Shutdown.log i are noted iOS reboots, along with the date and time each running process is stopped. For each processthe file also retains the corresponding process ID (PID), the identifier that allows you to uniquely ascertain your identity.
How iShutdown scripts work to check for spyware on Apple devices
Starting from the observation of the behavior of the system file Shutdown.logKaspersky researchers and developers have created a set of Python scripts, called iShutdown as a whole, which deal with examining the traces left by spyware possibly running on the iOS device. The scripts are the following three:
iShutdown_detect.py: checks for anomalous references in the archive compressed in TAR format Sysdiagnose. These could already be a sign of a malware infection.iShutdown_parse.py: Extract from archive Sysdiagnose the log fileShutdown.logand subjects it to analysis. The output provided by the script consists of a CSV file with references to the suspicious processes, along with their MD5, SHA1, SHA256 hashes.iShutdown_stats.py: takes care of extracting the iOS device reboot data from the fileShutdown.log. For example, the first and last reboots, the number of startups performed each month, and so on.
Il repository GitHub of the iShutdown project contains useful information foruse of scripts Python plus some output examples. The presence of the response Suspicious processes constitutes unequivocal confirmation of the presence of spyware. In any case, all proposed scripts can be executed as they are by invoking python3.
Although the solution proposed by Kaspersky was created to offer a response to the spread of spyware Pegasus, Reign e Predatorthe information contained in the log file can help to surface it too new malware families.
How to protect yourself from the smartest and most invasive iOS spyware
iOS spyware like Pegasus and “partners” are highly sophisticated. Although it is not always possible to protect yourself, especially in the case of targeted attacksit is possible to make life more difficult for cybercriminals and expose threats by applying some effective guidelines.
Very often the infection has an easy time exploiting attacks 0-day e zero-click. In other words, attackers leverage vulnerability recently discovered in Apple software (even better if not known to the Cupertino company). Furthermore, in most cases, we try to devise an attack that “just works”, without the user having to offer any type of interaction (this is why they are called zero-click). They are, evidently, the mode of aggression more advanced ones that offer, from the attackers’ point of view, the best results and the highest success rate.
Kaspersky notes that daily reboots of your iOS device help remove any threats from memory. Attackers would have to repeat their attack increasing their chances of getting caught. The isolation mode that can be activated on iOS also helps to stop infections.
The company also presents a draconian suggestion: vulnerabilities discovered in iMessage and Facetime are frequently exploited by cybercriminals to carry out attacks zero-click. Leaving these applications can help protect your device and the data stored on it.
Obviously, it remains essential to maintain updated the device by promptly installing the latest ones patch for iOS. Many kits exploit per iOS They target vulnerabilities that have already been patched by Apple. Finally, it is good to pay attention to link avoiding opening links received by message, SMS, messaging or email. Using a tool like iShutdownIt can also help detect iOS malware.
Credit immagine in apertura: “A lightweight method to detect potential iOS malware”, Kaspersky.