New iShutdown scripts enable the detection of spyware infections on iPhones

Malware hunting on iOS devices has been extremely difficult due to the nature of the iOS ecosystem.

There were only two methods for conducting forensic investigations on iOS devices: either to examine an encrypted full iOS backup or analyze the network traffic of the suspected device.

However, both methods require a lot of time and money and are quite complicated. As a result, several threats might go undetected.

Moreover, Some of the iPhone devices were investigated as part of general security checks that were found with traces of Pegasus malware infections.

Free Webinar

Fastrack Compliance: The Path to ZERO-Vulnerability

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

Overview of the detection – Shutdown.log

According to the reports shared with Cyber Security News, Shutdown.log is a text-based log file that logs every reboot event on iOS devices. This file consists of multiple environment characteristics that date back several years and provide a lot of information.

During the analysis of the infected phones, the MVT tool detected the malware by parsing the DataUsage database, among other forensic artifacts that can be investigated.

As a means of investigation, network traffic analysis was initially suggested, which is an effective method but requires a lot of expertise and resources.

However, it was later replaced with Sysdiag dump analysis, a minimally intrusive and resource-light method for investigating iPhone infections using system-based artifacts. Further researching the Shutdown.log file, three malware families were detected: Reign, Pegasus, and Predator.

All of these malware families were using a similar filesystem path according to the Shutdown.log file, which proved to be one of the shortest methods for detecting malware on iOS devices. 

Nevertheless, detecting with the Shutdown.log file has a drawback since it requires a lot of reboots of the affected devices. As a means of easing this process, a few Python scripts were created which were categorized as iShutdown scripts.

Script Analysis

There were three scripts provided such as “iShutdown_detect”, “iShutdown_parse” and “iShutdown_stats” for helping in the extraction, analysis, and parsing of the Shutdown.log artifact. To use these scripts, the user must generate a sysdiag dump and extract the archive into the analysis machine.


This script is used to detect anomalies inside the Shutdown.log file, analyze the log file, and display any of the anomalies if detected.

Detecting an instance of Pegasus indicator (Source: Securelist)
Detecting an instance of Pegasus indicator (Source: Securelist)


This script takes a sysdiag archive as the argument and extracts the Shutdown.log file from it, which can be used by analysts and users who would like to share their log files and parse them for different purposes. Additionally, this script is also capable of 

  • converting the data into a CSV file
  • decoding timestamps and
  • Generate a summary of the parsing, including the source sysdiag and extracted Shutdown.log hashes.
Log Extraction and Parsing (Source: Securelist)
Log Extraction and Parsing (Source: Securelist)


This file does not take the sysdiag archive as the argument as the previous script and can be used to understand how often or when the user rebooted the phone. Moreover, this script also considers that the log file has been extracted.

Reboot stats of a target Shutdown.log (Source: Securelist)
Reboot stats of a target Shutdown.log (Source: Securelist)

A GitHub repository has also been published with scripts that can be used for forensic investigations on iOS devices.

Try Kelltron’s cost-effective penetration testing services to evaluate digital systems security. available.

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.