Kaspersky's Global Research and Analysis Team (GReAT) has developed a new detection method for Pegasus and similarly sophisticated iOS spyware. The cybersecurity provider is providing a publicly available infection check tool on Github.
The spyware Pegasus was recently used in Germany. To make it easier to identify spyware infections, Kaspersky experts have developed a self-check tool for users. In addition to Pegasus, the iOS spyware Reign and Predator are also detected.
Kaspersky experts were able to develop the new detection method because they realized that Pegasus infections leave traces in the system log “Shutdown.log”, which is contained in the diagnostic archive of every mobile iOS device. The archive contains information about each reboot process, so Pegasus malware anomalies become visible in the log as soon as an infected user reboots their device. These include, among other things, particularly with the Pegasus spyware, “sticky” processes that prevent reboots and traces of infection discovered by the cybersecurity community.
Pegasus leaves traces of infection
When analyzing the Shutdown.log of Pegasus infections, Kaspersky experts found the infection path “/private/var/db/”, which corresponded to the paths of other iOS malware such as Reign and Predator. Kaspersky experts believe that this log file has the potential to identify infections related to these malware families.
Based on these findings, a self-check tool for users was developed. With the help of The-Python3 script, the Shutdown.log can be more easily extracted, analyzed and parsed. The tool is freely available on Github for macOS, Windows and Linux.
“Sysdiag dump analysis is a minimally invasive and resource-efficient method that relies on system-based artifacts to identify potential iPhone infections,” explains Maher Yamout, Lead Security Researcher at Kaspersky’s GReAT. “By using the infection indicator from this log and confirming the infection using MVT (Mobile Verification Toolkit) processing of other iOS artifacts, the log now becomes part of a holistic approach to investigating iOS malware infections. We have verified behavioral consistency with other Pegasus infections analyzed, so we expect it will serve as a reliable forensic artifact to support infection analysis.”
Recommendations for protecting against advanced iOS spyware
- Restart devices daily. According to research by Amnesty International and Citizen Lab, Pegasus is often based on non-persistent zero-click zero-day exploits. Restarting regularly can help clean up the device; Attackers would then have to reinfect it again and again.
- Use lockdown mode because public reports attest to its success in blocking iOS malware infections.
Disable iMessage and Facetime, which are among the most exploited services by hackers, so disabling them reduces the risk of being infected by zero-click chains. - Update mobile devices regularly. The latest iOS patches should be installed immediately as many iOS exploit kits target previously patched vulnerabilities.
- Do not open links in messages as Pegasus can be distributed via 1-click exploits via SMS, email or messenger.
- Regularly create backups and perform system diagnostics; Kaspersky tools can help detect iOS malware.
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/