Identifying Whether Your iOS Device Has Been Compromised by Pegasus Spyware


In the era of digital revolution, the online landscape is increasingly susceptible to a surge in threats, with cyberattacks such as malware posing persistent concerns for both individuals and governments. Notably alarming among these threats is the Pegasus spyware, capable of compromising devices and granting remote attackers unfettered access to all data, effectively transforming the device into a potent surveillance tool. To address the escalating risk posed by sophisticated iOS spyware, including variants like Reign and Predator, researchers at Kaspersky have introduced an innovative and lightweight detection method.

Kaspersky’s Global Research and Analysis Team (GReAT) has unveiled a unique approach that leverages an unexplored forensic artifact—the Shutdown.log file. This file, residing within the sysdiagnose archive of any iOS device, records data from each reboot, serving as a crucial location to identify anomalies caused by Pegasus during device restarts. Furthermore, Kaspersky experts have identified traces of Pegasus infections in this unconventional system log, along with instances of “sticky” processes that hinder reboots—both indicative of spyware activity.

The analysis of sysdiag dumps proves to be minimally intrusive and resource-light, relying on system-based artifacts to identify potential iPhone infections. The confirmed infection indicator in the Shutdown.log, coupled with Mobile Verification Toolkit (MVT) processing of other iOS artifacts, contributes to a holistic approach for investigating iOS malware infections. Kaspersky has developed a self-check tool, utilizing Python3 scripts, to enable users to assess their devices for spyware by examining the Shutdown.log file. This tool is freely available and compatible with macOS, Windows, and Linux, accessible on GitHub.

Despite the inherent difficulty in detecting and preventing spyware like Pegasus, users can implement protective measures to enhance their device’s security. Kaspersky experts recommend the following tips to safeguard iOS devices from spyware:

  1. Restart Daily: Pegasus often utilizes zero-click attacks that do not persist on the device. Regular restarts can eliminate the spyware, prompting attackers to retry, thereby increasing the likelihood of detection.
  2. Utilize Lockdown Mode: Enabling Apple’s lockdown mode can act as a preventive measure, thwarting iOS malware from infiltrating the device.
  3. Disable iMessage and Facetime: These communication platforms can be exploited by attackers for zero-click attacks. Disabling them reduces the risk of spyware intrusion.
  4. Keep Your Device Updated: Promptly installing the latest iOS updates is crucial, as some spyware exploits old vulnerabilities that may be patched in newer releases.
  5. Exercise Caution with Links: Refrain from clicking on links in messages, as Pegasus users may deploy one-click attacks through SMS, email, or other applications.
  6. Audit Backups and Sysdiagnose Files: Employ tools like MVT and Kaspersky’s offerings to scan backups and sysdiagnose files for indications of iOS malware.

Leave a Reply

Your email address will not be published. Required fields are marked *