Apple’s Latest iOS 26 Update Wipes Clues Investigators Use to Spot Pegasus Spyware

Apple is rolling out its new iOS 26 update to millions of iPhones. Researchers say a quiet change buried deep in the operating system makes it harder to detect whether the device was ever infected with high-end spyware such as Pegasus or Predator. The change affects a little-known system log called shutdown.log, long treated as a kind of forensic footprint that might survive even the most sophisticated attacks.

Investigators at iVerify noticed^[1] the shift while studying the update. They explained that shutdown.log once kept a historical record every time the phone was turned off and on again. That history could contain tiny fragments of activity that hinted at a past compromise. iVerify called the update “a serious challenge” for anyone trying to understand if a phone was secretly targeted.

A Log That Helped Uncover Attacks

Shutdown.log sits inside the Sysdiagnose tool that comes with iOS. It has been around for years without much attention. The file does not store messages or photos. Instead, it documents what takes place during a phone’s shutdown sequence. That made it useful for spotting the kinds of low-level processes associated with advanced malware.

In 2021, researchers found that Pegasus infections left recognizable traces inside this log. Those traces were key evidence in public investigations that helped confirm infections on devices belonging to journalists, advocates, and public figures. Pegasus is built by the Israeli company NSO Group. It can infect a phone without the user tapping anything and then unlock almost complete access to private data including calls, messages, location, camera, and microphone.

Developers behind Pegasus quickly adapted once shutdown.log became a focus area. Starting in 2022, the spyware tried to wipe the file entirely. The wipe itself became useful evidence because malware activity tended to overwrite data more aggressively than normal system behavior. Investigators learned to read the absences as a clue. The PDF explains that “a seemingly clean shutdown.log” could serve as its own indicator when paired with other anomalies.

What Changes in iOS 26

The issue flagging concern now is that iOS 26 overwrites shutdown.log automatically on each reboot. Previous versions appended every new shutdown entry to the bottom of the file. This preserved older entries and created a timeline that forensics experts could study. With the new approach, that history is erased every time the phone restarts.

iVerify notes that this clean slate approach could be intended to improve performance or remove clutter. No one outside Apple knows whether the change was designed or simply overlooked. Timing is the problem. Spyware attacks are on the rise. Security researchers and human rights groups warn that the targets are no longer limited to activists. Executives and celebrities are also being watched more closely. The PDF states that the change “could hardly come at a worse time.”

Losing a Layer of Spyware Detection

Predator, a separate spyware family attributed to Cytrox, has shown similar behavior within shutdown.log since at least 2023, according to forensics reports. Analysts believe Predator borrowed Pegasus tactics, including monitoring shutdown activity to hide traces. Both strains are associated with state-linked surveillance operations.

The update means that anyone who installs iOS 26 and then restarts their phone will lose all historical shutdown logs. If evidence ever existed on that device, it will be gone after the first reboot. This affects Pegasus and Predator cases that may have occurred months or years earlier, making it difficult to confirm whether a phone used by a high-risk individual was previously compromised.

What High-Risk Users Can Do Right Now

Researchers recommend saving a sysdiagnose report before installing iOS 26. That preserves the current shutdown.log in case further analysis becomes necessary. iVerify suggests waiting on the update if possible until Apple clarifies the change or adjusts the behavior in a future patch.

Apple has not commented publicly on the shutdown.log shift. It remains uncertain if this is a deliberate security design or something that will be reversed once the implications become better understood.

Why This Matters

The shutdown.log file was never a perfect detection solution, although it helped investigators uncover infections that would have otherwise remained hidden. Losing access to that historical record makes life easier for spyware developers who already push the limits of stealth and persistence. It also places more trust in active scanning and network-based detection, both of which have their own blind spots.

Mobile spyware exists largely to avoid being noticed. A seemingly minor operating system change now risks removing one of the few reliable ways to discover what happened after the fact.

Notes: This post was edited/created using GenAI tools. Image: DIW-Aigen.

Read next:

• Many News Articles Are Now Written by AI, According to a New Study Few Readers Know About^[2]

• AI Assistants Send Shoppers to Retailers, but Sales Still Belong to Google^[3]

References

1. ^{^} noticed (iverify.io)
2. ^{^} Many News Articles Are Now Written by AI, According to a New Study Few Readers Know About (www.digitalinformationworld.com)
3. ^{^} AI Assistants Send Shoppers to Retailers, but Sales Still Belong to Google (www.digitalinformationworld.com)