Connect with us

Hi, what are you looking for?


Malware & Threats

Malware Can Fake iPhone Shutdown via ‘NoReboot’ Technique

Researchers at mobile security firm ZecOps have shown how a piece of iOS malware can achieve “persistence” on a device by faking its shutdown process.

Researchers at mobile security firm ZecOps have shown how a piece of iOS malware can achieve “persistence” on a device by faking its shutdown process.

Malware designed to target iPhones is not uncommon, but many of these threats are not capable of staying on a device after it has been rebooted.

Instead of trying to develop a sophisticated persistence exploit for their malware, threat actors could simply monitor the victim’s actions and simulate a shutdown of the iPhone when the victim attempts to turn off their device.

ZecOps has dubbed the method “NoReboot” and described it as the “ultimate persistence bug” that cannot be patched.

The attack method abuses the InCallService system application; SpringBoard, the iOS component that manages the iPhone’s home screen; and BackBoard, which Apple introduced to help SpringBoard with some tasks related to hardware events, such as touches and button presses.

Researchers found that when a user initiates a shutdown event by pressing and holding the volume button until the “power off” slider appears, the attacker can inject their code into the InCallService, SpringBoard and BackBoard daemons. Thr attacker can get SpringBoard and BackBoard to — instead of shutting down the device — make it look like the device has been powered off by disabling all physical feedback, including the screen, sounds, vibration, the camera indicator, and touch feedback.

To avoid raising suspicion, the attacker can display the system boot animation when the user wants to power on the iPhone.

Advertisement. Scroll to continue reading.

ZecOps has made available a proof-of-concept (PoC) exploit and it has published a video showing the method in action. The video shows how an attacker with access to a phone could continue spying on the victim while the device appears to be powered off.

When asked if Apple has been informed about this research, Zuk Avraham, CEO and founder of ZecOps, told SecurityWeek that while his company typically shares threat intelligence and vulnerabilities with Apple, NoReboot is a technique that doesn’t exploit actual vulnerabilities in iOS, so it cannot be patched.

“The concept of NoReboot is to trick the mind into believing the phone was powered off, and properly powered on when the boot animation is displayed. There’s no software solution that cannot be bypassed, as such, traditional responsible disclosure is not relevant,” Avraham said.

“Vendors that are interested in fixing this issue should provide a hardware indicator if the phone is powered on/off, and similarly for the microphone / camera,” he added.

SecurityWeek has reached out to Apple for comment and will update this article if the tech giant responds.

Related: XcodeGhost Malware Discovered in 2015 Impacted 128 Million iOS Users

Related: Apple Points to Android Malware Infections in Argument Against Sideloading on iOS

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.