Few smartphone threats generate as much concern as Pegasus and Predator spyware. These are tools built for stealth and the extraction of sensitive information, including messages, contacts, geolocation, and data from microphones, cameras. Now, with the rollout of iOS 26, a key forensic trace that long helped investigators track these intrusions is being changed. That shift has serious implications for both forensic professionals and everyday users.
Security researchers at iVerify flagged that the update to iOS 26 has altered how Apple handles one particular log file, the shutdown.log, part of the Sysdiagnose package in the Unified Logs folder. In previous versions of iOS, shutdown.log provided a snapshot of system activity at device shutdown, and spyware like Pegasus reliably left traces inside it.
With iOS 26, Apple appears to have changed the behaviour. Rather than appending each shutdown event to the log, the file is effectively overwritten at each reboot. In practical terms, any prior entries that might have been left by spyware could be erased once the user restarts the device. That means evidence of earlier compromise may vanish without a trace.
To understand the scale of this, it helps to explain how researchers used shutdown.log in the past. When Pegasus infected an iPhone, it often left behind signatures in this log, even if it then attempted to wipe them. Investigators learned to recognise patterns such as entries pointing to unexpected WebKit networking tasks, staging directories, or unusual process names during shutdown sequences.
In one documented case, iVerify found that even a cleared or oddly formatted shutdown.log could itself be a red flag, because the absence of expected entries became a heuristic of compromise.
What has changed with iOS 26 is that the “clean slate at reboot” behaviour appears to wipe out just that forensic record. According to iVerify, unless a user takes a device snapshot or sysdiagnose before updating to iOS 26, any traces of historic infection may already be lost forever.
This matters for two reasons. First, for individuals who suspect their phones may have been targeted by sophisticated spyware, without the shutdown.log entries, their ability to prove or investigate the compromise is significantly weakened. Second, for security professionals and incident responders, the change reduces visibility into past behaviour, increasing the complexity of threat hunting and forensic investigations.
The shift in iOS 26 doesn’t just affect trace detection. It comes at a time when spyware such as Pegasus and Predator are no longer just used against human rights activists and journalists. iVerify’s prior research found that high-net-worth business executives, government personnel, and private-sector leaders have also been targeted.
Given the shifting tactics of these surveillance tools, the ability to detect them has always been a race. iOS 26’s change may give attackers yet another advantage by reducing the window for investigators to catch historic infections.
What this means for you
If you own an iPhone or manage devices in a corporate environment, here are key steps to consider in light of this development:
1. Before upgrading to iOS 26: If you suspect a device may have been compromised, run a full sysdiagnose before applying the update. Save the shutdown.log, archive it, and keep a copy safe. Once iOS 26 is installed and the device rebooted, the log entries may be lost.
2. Enable monitoring and detection tools: Use reputable mobile-forensics or EDR solutions that can scan diagnostic logs, system behaviour, and known indicators of compromise (IOCs) such as staging directories, unexpected networking tasks, or log anomalies.
3. For enterprise fleets, prioritise continuous visibility: Because historic traces may vanish, detection models must lean more on real-time encounter of anomalies—such as unusual authenticator registrations, unknown device enrolments, or background process behaviour—rather than relying solely on static log artifacts.
4. Stay updated: It remains important to install the latest iOS patches (which may fix zero-day vulnerabilities). But be aware that updates may also alter forensic artefacts. For high-risk users, consider keeping the device in lockdown mode and backing up logs before major updates.
5. Educate your organisation: Many users are unaware that system logs matter for forensic continuity. Ensuring employees and executives understand that updating an OS can affect traceability is now part of digital hygiene.
The change in iOS 26 reflects a broader tension in mobile security. Apple may argue that wiping logs at reboot is a system hygiene improvement, like reducing log file size, improving performance, or limiting residual data. Yet in practice, it may also remove tools that defenders rely on to detect sophisticated threats.
For attackers, this shift represents a gain. Without reliable historical logs, retrospective investigations are tougher. Gone are some of the “smoking-gun” traces that investigators knew how to read. That doesn’t mean compromise is impossible to detect, but it means detection will require more real-time awareness and multiple signal sources rather than just one log file.
For the security industry, it is a wake-up call that forensic models must evolve. Old heuristics tied to specific log files may no longer suffice. Detection must become more behavioural, more continuous, and more resilient to OS-level changes.
The update to iOS 26 may be small in plain view, but its impact is anything but trivial. For anyone relying on forensic traces to uncover spyware like Pegasus or Predator, the window for detection has just become smaller. For the defenders of mobile security, it’s a reminder that vigilance, layered visibility, and forward-thinking strategies are more crucial than ever.