Apple has reversed a controversial logging change introduced in iOS 26 that hindered the detection of Pegasus and Predator spyware infections, restoring a critical forensic artifact with the release of iOS 26.2.
The move follows months of criticism from the security community, which warned that the earlier change erased historical evidence of compromise from affected devices.
The issue was first highlighted in September 2025 by researchers at iVerify, a mobile security firm specializing in iOS threat detection. Matthias Frielingsdorf, iVerify’s VP of Research, now confirmed that Apple has reinstated the previous behavior of the shutdown.log file starting with iOS 26.2. Under the original iOS 26 release, the operating system began overwriting the shutdown.log file each time a device restarted, replacing the entire file with only the most recent shutdown entry. This effectively deleted any historical data that investigators relied on to detect past infections from earlier variants of Pegasus and Predator spyware.
Prior to iOS 26, shutdown.log entries accumulated over time and were accessible through Apple’s Sysdiagnose tool. These logs often contained subtle anomalies tied to spyware activity, including stalled shutdown processes and traces of suspicious system components. For older Pegasus and Predator strains, particularly those active before 2023, the log served as a valuable indicator of compromise (IoC). Although newer versions of these commercial spyware platforms have evolved to avoid leaving such traces, historical log data remained crucial for forensic investigations on previously infected devices.
iVerify, founded to provide endpoint detection and response (EDR) capabilities for Apple devices, has built its platform around in-depth knowledge of iOS internals and kernel-level behavior. Their findings on the shutdown.log change drew widespread discussion within the security community, including debate over Apple’s control of iOS visibility and the broader impact on independent research.
With iOS 26.2, Apple has reverted to creating a new shutdown.log file at each reboot instead of overwriting the existing one, restoring the historical logging behavior that investigators depend on. However, this fix does not retroactively recover logs lost on devices that upgraded to earlier iOS 26 builds. Devices that already had their shutdown.log overwritten cannot retrieve erased entries.
In addition to restoring logging behavior, Apple addressed multiple security vulnerabilities in iOS 26.2 and the subsequent 26.3 release, including CVEs that were reportedly exploited in the wild. Users are recommended to apply the available updates immediately. Those at high risk of being targeted by spyware are recommended to activate the Lockdown Mode, an optional iOS security feature that imposes extreme usability limitations to prevent malware infections and sensitive data leaks.
Leave a Reply