Researchers at mobile security firm ZecOps have shown how a piece of iOS malware can achieve “persistence” on a device by faking its shutdown process.
Malware designed to target iPhones is not uncommon, but many of these threats are not capable of staying on a device after it has been rebooted.
Instead of trying to develop a sophisticated persistence exploit for their malware, threat actors could simply monitor the victim’s actions and simulate a shutdown of the iPhone when the victim attempts to turn off their device.
ZecOps has dubbed the method “NoReboot” and described it as the “ultimate persistence bug” that cannot be patched.
The attack method abuses the InCallService system application; SpringBoard, the iOS component that manages the iPhone’s home screen; and BackBoard, which Apple introduced to help SpringBoard with some tasks related to hardware events, such as touches and button presses.
Researchers found that when a user initiates a shutdown event by pressing and holding the volume button until the “power off” slider appears, the attacker can inject their code into the InCallService, SpringBoard and BackBoard daemons. Thr attacker can get SpringBoard and BackBoard to — instead of shutting down the device — make it look like the device has been powered off by disabling all physical feedback, including the screen, sounds, vibration, the camera indicator, and touch feedback.
To avoid raising suspicion, the attacker can display the system boot animation when the user wants to power on the iPhone.
ZecOps has made available a proof-of-concept (PoC) exploit and it has published a video showing the method in action. The video shows how an attacker with access to a phone could continue spying on the victim while the device appears to be powered off.
When asked if Apple has been informed about this research, Zuk Avraham, CEO and founder of ZecOps, told SecurityWeek that while his company typically shares threat intelligence and vulnerabilities with Apple, NoReboot is a technique that doesn’t exploit actual vulnerabilities in iOS, so it cannot be patched.
“The concept of NoReboot is to trick the mind into believing the phone was powered off, and properly powered on when the boot animation is displayed. There’s no software solution that cannot be bypassed, as such, traditional responsible disclosure is not relevant,” Avraham said.
“Vendors that are interested in fixing this issue should provide a hardware indicator if the phone is powered on/off, and similarly for the microphone / camera,” he added.
SecurityWeek has reached out to Apple for comment and will update this article if the tech giant responds.
Related: XcodeGhost Malware Discovered in 2015 Impacted 128 Million iOS Users
Related: Apple Points to Android Malware Infections in Argument Against Sideloading on iOS
