Kaspersky releases open source script iShutdown that can be used to quickly detect whether iOS is infected with spyware

The experience of being hacked was that some employees of anti-virus software developer Kaspersky were previously attacked, and their iPhones were somehow implanted with spyware. Kaspersky discovered anomalies through traffic monitoring of the internal network, and the attack was later called triangulation.

Kaspersky is still continuing to track triangulation attacks. After research, Kaspersky researchers have discovered a method that can quickly detect whether an iPhone is implanted with spyware.

In the past, if you want to detect whether malware has been implanted, you need to back up the entire iPhone, and then use the backup data to check whether there are any abnormalities. Now Kaspersky has discovered a lightweight detection method: iShutdown.

shutdown.log is a log file. Kaspersky found some similarities after studying the Pegasus spyware of Israeli spyware developer NSO Group, the Reign spyware of Israeli spyware developer QuaDream, and the Predator spyware of Israeli spyware developer Intellexa.

What they have in common is that they will leave some traces in the device restart log. Simply put, since all spyware hopes to be persistent, it must also stay in the background for a long time in some way.

Therefore, when the iPhone restarts, these spyware-related processes will hinder the system restart process, causing the restart time to be slightly longer, and the system will also leave relevant entries in the log to record these events.

The investigation found that three Israeli commercial spyware developers all used similar file system paths: /private/var/db/ and /private/var/tmp/

Kaspersky said that when users frequently restart their iPhones, it is easier to observe relevant entries in the logs, so in the future, only the shutdown.log needs to be extracted to analyze whether the iPhone is infected with spyware.

It should be reminded that shutdown.log is not generated by the system itself. The iOS system mainly records logs through sysdiag, so shutdown.log needs to be generated and exported for actual use. The exported file is about 200~400MB in the format of .tar.gz. The required logs after decompression are in system_logs.logarchiveExtra.

To this end, Kaspersky wrote a script using Python, which can automatically search for abnormal entries in the exported logs. If abnormal entries are found, researchers need to carefully check the corresponding log content to analyze whether they are infected by spyware.

Finally, it is not yet clear who initiated the triangulation attack against Kaspersky. The spyware used in the triangulation attack is new software and was not produced by several Israeli commercial spyware developers.

Additional link: https://github.com/KasperskyLab/iShutdown