iOS 26 update erases critical trace files used to identify Pegasus intrusions
Apple’s latest mobile operating system update, iOS 26, is still being rolled out. However, researchers have already noticed a crucial change to a log file that stores evidence of past device compromises.
According to the iPhone forensics and investigations firm iVerify, this means that if you update, you probably won’t ever find out whether your device had been infected with, for example, Pegasus spyware.
iVerify’s team said it has noticed a change in how iOS 26 handles the shutdown.log file: it effectively erases crucial evidence of Pegasus and Predator spyware infections.
“This development poses a serious challenge for forensic investigators and individuals seeking to determine if their devices have been compromised at a time when spyware attacks are becoming more common,” said the researchers.
That’s because for years, the shutdown.log file has been an invaluable, yet often overlooked, artifact in the detection of iOS malware.
Located within the Sysdiagnoses in the Unified Logs section, it served as a silent witness to an iOS device's activities, even during its shutdown sequence.
In 2021, for example, the publicly known version of Pegasus spyware was found to leave discernible traces within shutdown.log. These traces provided a critical indicator of compromise, allowing security researchers to identify infected devices.
Sure, the developers behind Pegasus have improved their methods over the years, iVerify says.
While still leaving evidence in the shutdown.log, they began to completely wipe the shutdown.log file. Yet, even with this attempted erasure, their own processes still left behind subtle traces.
“Even a seemingly clean shutdown.log that began with evidence of a Pegasus sample was, in itself, an indicator of compromise,” said Matthias Frielingsdorf, VP of Research at iVerify.
However, Apple is now essentially rewriting the shutdown.log file after every device reboot, instead of appending new data at the end.
Naturally, with iOS 26 doing the wiping, it will be hard to find evidence of super-old Pegasus and Predator infections, and a clean shutdown.log file will be indistinguishable from normal iOS behavior.
In other words, any user who updates to iOS 26 and subsequently restarts their device will inadvertently erase all evidence of older Pegasus and Predator detections that might have been present in their shutdown.log.
Once installed, Pegasus spyware gives an attacker full access to the phone’s data, including messages, photos, calls, location, camera, and microphone.
“This automatic overwriting, while potentially intended for system hygiene or performance, effectively sanitizes the very forensic artifact that has been instrumental in identifying these sophisticated threats,” said Frielingsdorf.
“It could hardly come at a worse time – spyware attacks have been a constant in the news and recent headlines show that high-power executives and celebrities, not just civil society, are being targeted.”
Pegasus is a powerful type of spyware developed by the NSO Group, an Israeli technology firm. It’s a zero-click trojan that can infect a phone without the user having to click a malicious link.
Once installed, Pegasus spyware gives an attacker full access to the phone’s data, including messages, photos, calls, location, camera, and microphone.
Unlock more exclusive Cybernews content on YouTube.
