Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Malware Can Fake iPhone Shutdown via ‘NoReboot’ Technique

Researchers at mobile security firm ZecOps have shown how a piece of iOS malware can achieve “persistence” on a device by faking its shutdown process.

Researchers at mobile security firm ZecOps have shown how a piece of iOS malware can achieve “persistence” on a device by faking its shutdown process.

Malware designed to target iPhones is not uncommon, but many of these threats are not capable of staying on a device after it has been rebooted.

Instead of trying to develop a sophisticated persistence exploit for their malware, threat actors could simply monitor the victim’s actions and simulate a shutdown of the iPhone when the victim attempts to turn off their device.

ZecOps has dubbed the method “NoReboot” and described it as the “ultimate persistence bug” that cannot be patched.

The attack method abuses the InCallService system application; SpringBoard, the iOS component that manages the iPhone’s home screen; and BackBoard, which Apple introduced to help SpringBoard with some tasks related to hardware events, such as touches and button presses.

Researchers found that when a user initiates a shutdown event by pressing and holding the volume button until the “power off” slider appears, the attacker can inject their code into the InCallService, SpringBoard and BackBoard daemons. Thr attacker can get SpringBoard and BackBoard to — instead of shutting down the device — make it look like the device has been powered off by disabling all physical feedback, including the screen, sounds, vibration, the camera indicator, and touch feedback.

To avoid raising suspicion, the attacker can display the system boot animation when the user wants to power on the iPhone.

ZecOps has made available a proof-of-concept (PoC) exploit and it has published a video showing the method in action. The video shows how an attacker with access to a phone could continue spying on the victim while the device appears to be powered off.

Advertisement. Scroll to continue reading.

When asked if Apple has been informed about this research, Zuk Avraham, CEO and founder of ZecOps, told SecurityWeek that while his company typically shares threat intelligence and vulnerabilities with Apple, NoReboot is a technique that doesn’t exploit actual vulnerabilities in iOS, so it cannot be patched.

“The concept of NoReboot is to trick the mind into believing the phone was powered off, and properly powered on when the boot animation is displayed. There’s no software solution that cannot be bypassed, as such, traditional responsible disclosure is not relevant,” Avraham said.

“Vendors that are interested in fixing this issue should provide a hardware indicator if the phone is powered on/off, and similarly for the microphone / camera,” he added.

SecurityWeek has reached out to Apple for comment and will update this article if the tech giant responds.

Related: XcodeGhost Malware Discovered in 2015 Impacted 128 Million iOS Users

Related: Apple Points to Android Malware Infections in Argument Against Sideloading on iOS

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.