Introduction
In the ever-evolving landscape of mobile security, hunting for malware in the iOS ecosystem is akin to navigating a labyrinth with invisible walls. Imagine having a digital compass that not only guides you through this maze, but also reveals the hidden mechanisms of iOS malware previously shrouded in mystery. This is not a tool – this is the nature of digital forensic artifacts. In this blog post, we’ll explore one particular forensic artifact that stands out for uncovering some of the most elusive malware on iOS devices and shedding more light on the traces left by the sophisticated threats endangering the trusted companions in our pockets.
In 2021 and 2022, we had the privilege of working on a few Pegasus malware infections on several iPhone devices. The iPhones were Initially given to us by our partners for general security checks before we discovered the infections.
Investigating such cases can be complicated, costly, or time consuming due to the nature of the iOS ecosystem. As a result, related threats can often go undetected by the general public. To date, the common methods for analyzing an iOS mobile infection are either to examine an encrypted full iOS backup, or to analyze the network traffic of the device in question. Both methods, however, are time consuming or require a high level of expertise, which limits their use.
Through our analysis, we discovered that the infections left traces in an unexpected system log, Shutdown.log, which is a system log file available on any mobile iOS device. Since the detection method was consistent across several infections we’ve analyzed, we thought we would dissect and understand this log file in more detail, as it could be used as another method to detect mobile malware.
Support the originator by clicking the read the rest link below.
