Rewterz Threat Update –New Lightweight Method Reliably Identifies Obscure iOS Spyware

Severity

High

Analysis Summary

Cybersecurity analysts have recently discovered a new method named iShutdown that helps in identifying and exposing signs of spyware reliably on Apple iOS devices, even the sophisticated threats like NSO group’s Pegasus, Intellexa’s Predator, and QuaDream’s Reign.

A set of iPhones infected with Pegasus was analyzed and it was uncovered that the malware left traces in a file named “Shutdown.log”, which is a text-based system log file present on all iOS devices responsible for keeping records of every reboot event and its environment characteristics. This method is comparatively straightforward than the more time-consuming methods like a full iOS backup or forensic device imaging. The log file is stored within a sysdiagnose (sysdiag) archive.

The security firm stated that the entries in the log file that recorded instances of processes like the ones linked with the spyware are identified to cause a reboot delay, many cases being observed with Pegasus-related activities in more than four reboot delay notices. The investigation also revealed a similar filesystem path that is used by all three spyware families; “/private/var/db/” for Pegasus and Reign, and “/private/var/tmp/” for Predator.

Researchers have also released a collection of Python scripts publicly that help in extracting, parsing, and analyzing the Shutdown.log to fetch the reboot stats, like the first reboot, last reboot, and the total number of reboots per month. The log file is capable of storing entries for several years, making it a reliable forensic method for analyzing and identifying anomalous log entries.

The disclosure comes due to the revelation of information stealers actively targeting macOS like Atomic, KeySteal, and JaskaGO by evading detection of Apple’s built-in antivirus software named XProtect. Despite numerous efforts by Apple to update XProtect’s signature database, these malware continue to evolve quickly and evade detection, making the sole reliance on signature-based detection insufficient as attackers have the means and motive to adapt quickly. 

Impact

• Cyber Espionage
• Exposure to Sensitive Data

Remediation

• Use a different SMS app. Disable iMessage, or if possible, delete it since it has been abused by Pegasus & other threat actors multiple times exploiting zero-day providing Pegasus an initial access point. It will be not wrong to say it’s their favorite attack spot.
• Avoid public and free Wi-Fi services (including hotels), especially when accessing sensitive information.
• Only open links from known and trusted contacts and sources when using your device.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Stick to official app stores like Google Play and Apple App Store.
• Review the permissions an app requests during installation. If an app asks for excessive permissions that are unrelated to its functionality, consider it a red flag.
• Keep your device’s operating system and apps up-to-date.
• Refrain from downloading apps from unofficial sources or third-party app stores. These sources are less regulated and more prone to hosting malicious apps.
• Enable strong authentication methods, such as two-factor authentication (2FA), for your accounts whenever possible.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Use mobile phone EDR aka mobile endpoint detection and response.
• Use a reputable password manager app.