A critical update has just landed, and it might make it harder than ever to spot if your iPhone has been secretly hacked. Apple's iOS 26 update has introduced a change that could be a game-changer for digital security, but not in a good way. It's essentially wiped out a crucial forensic artifact that security researchers have been using to detect nasty spyware infections, like Pegasus and Predator.
The folks over at iVerify were the first to raise the alarm. They discovered that the update messes with the shutdown.log file, a hidden but vital log within Apple's Sysdiagnose tool. This log used to keep a record of everything that happened during shutdowns and reboots, which provided clues about sophisticated spyware infections. But with iOS 26, this log gets overwritten every time you restart your phone, which means historical evidence is gone.
For years, the shutdown.log has been a reliable way to spot iOS malware. Researchers found traces of Pegasus, the state-sponsored spyware from the NSO Group, in this log back in 2021. By 2022, Pegasus tried to cover its tracks by wiping the log, but forensic analysts could still find clues like sudden log truncations or specific file paths. One of these clues was the presence of the /private/var/db/com.apple.xpc.roleaccountd.staging/com.apple.WebKit.Networking path, which was linked to Pegasus variants that were trying to look like legitimate system processes to avoid detection.
And this is the part most people miss... Predator, another high-end spyware platform, developed by Cytrox, also used similar tactics. Its activity in the shutdown.log became a point of interest for forensic analysts starting in 2023. It seems Predator was actively monitoring and manipulating the shutdown logging process, likely learning from Pegasus.
Now, with iOS 26 automatically overwriting the shutdown.log at each reboot, this entire line of investigation is lost. Apple hasn't said much about this change. It's unclear whether it was done on purpose or if it's just a mistake. But its timing is suspicious, especially with the rise of spyware campaigns targeting government critics, journalists, and other high-profile individuals.
But here's where it gets controversial... Apple may have done this to improve performance or system hygiene. However, some security experts are concerned that this change could make it easier for spyware developers to operate undetected.
In the meantime, if you're a high-risk user, it's a good idea to create and securely store a sysdiagnose file from your device before updating to iOS 26. This will preserve the current shutdown.log, which could still contain valuable forensic data.
What do you think about this change? Do you think Apple should provide more transparency about these kinds of updates? Share your thoughts in the comments below!
