Kaspersky has developed a new tool that scans iOS devices for the presence of spyware. The free tool, dubbed iShutdown, can check if an iOS device has been infected by Pegasus, Predator, Reign, or other “sophisticated” spyware. It does this by scanning the device’s system log.
In a press release on Tuesday, Kaspersky said its Global Research and Analysis Team (GReAT) observed that Pegasus infections “leave traces in the unexpected system log, Shutdown.log,” found in all iOS devices. iShutdown checks for these crumbs of data, which can be a good indication that a device is infected with spyware.
“iOS spyware, such as Pegasus, is highly sophisticated. While the cyber community may not always prevent successful exploitation, users can take steps to make it challenging for attackers,” Kaspersky said.
How Kaspersky’s iShutdown Works
Kaspersky’s tool detects spyware by analyzing the Shutdown.log file, a previously underutilized forensic artifact within the “sysdiagnose archive” of all mobile iOS devices. This file, which records details from each reboot session, can be crucial in detecting spyware infections.
“This archive retains information from each reboot session, meaning anomalies associated with the Pegasus malware become apparent in the log if an infected user reboots their device,” Kaspersky said in its press release.
Usually, when an iOS device is rebooted, all running processes are terminated, and the system starts afresh. However, spyware like Pegasus can create processes that Kaspersky dubbed “sticky,” meaning they have a way of persisting and delaying reboots or quickly reinitializing after a reboot.
This is unusual behavior for standard applications and processes and a red flag for potential spyware infection.
In their analysis of the Shutdown.log file, Kaspersky researchers also observed a common infection path — “/private/var/db/” — which spyware like Reign and Predator, and other spyware families, also use.
Besides iOS, Kaspersky has also made iShutDown scripts available for macOS and Linux devices on GitHub.
How to Protect Your Device From Spyware
Criminals are known to use spyware to target politicians, business executives, and other high-profile figures, but it can also be employed against anyone. In June 2023, Kaspersky revealed that dozens of its employees had found spyware on their iPhones.
To shield your iOS device from spyware, Kaspersky recommends daily reboots, using Apple’s improved lockdown mode, disabling iMessage and Facetime, keeping devices updated with the latest iOS patches, and exercising caution with links in messages.
These practices, combined with basic safety measures like using antivirus software and a virtual private network (VPN), can fortify your defenses against spyware and other online threats.
Interested in learning more about spyware? Read our article that explains how to know if your mobile phone is being monitored.
For more news, follow us on X (Twitter), Threads, and Mastodon!
