According to researchers, the latest trick can let malware fake iPhone shutdown to spy on users secretly. Researchers from ZecOps discovered the malware dubbed as “NoReboot”, it can possibly block and simulate an iOS rebooting operation, making the user believe the phone has been powered off, while it’s actually still running.
The security firm based in San Francisco said, “ultimate persistence bug […] that cannot be patched because it’s not exploiting any persistence bugs at all — only playing tricks with the human mind.”
The malware interferes with the routines used in iOS to shut down and restart the device. Ensuring it never happened, enabling a trojan to achieve persistence without persistence as the device is never actually turned off.
NoReboot injects specially crafted code onto the three iOS daemons ie. InCallService, SpringBoard, and Backboardd. Resulting in a shut down as it disables all audio-visual cues associated with a powered-on device, including the screen, sounds, vibration, the camera indicator, and touch feedback.The malware gives an impression that the device is shut down, without actually shutting it down. It hijacks the event that’s activated when the user simultaneously presses and holds the side button and one of the volume buttons, and drags the “slide to power off” slider.
The researchers explained, “Despite that, we disabled all physical feedback, the phone still remains fully functional and is capable of maintaining an active internet connection. The malicious actor could remotely manipulate the phone in a blatant way without worrying about being caught because the user is tricked into thinking that the phone is off, either being turned off by the victim or by malicious actors using ‘low battery’ as an excuse.”
Later the malware forces the SpingBoard, as it refers to iOS’s graphical user interface, to exit (as opposed to the entire OS). Then controls the BackBoardd, the daemon that handles all touch and physical button click events. This enables it to display the Apple logo effect in case the user tries to turn the running phone back on, while the malicious code continues to persist.
Additionally, the technique can also be extended to manipulate a force restart associated with an iPhone. This is done by deliberately causing the Apple logo to appear a few seconds earlier when such an event is recorded via the Backboardd. This fools the victim to release the side button without genuinely triggering a force restart.
There is no other malware identified or documented resembling NoReboot. According to the findings, the iOS restart process is also immune to being hijacked. Once a bad actor gains access to a target device, a feat that can be achieved by any nation-state groups and cyber mercenaries alike.
On a conclusive note, the researchers said, “Non-persistent threats achieved ‘persistency’ without persistence exploits.”
You can go through the proof-of-concept (PoC) exploit demonstrating NoReboot via GitHub here.
University of California Researchers Develop a Technique to Discover Inconsistencies in Smart Contracts
Hackers Target Real Estate Websites with Skimmers
SlimPay fined €180k after having 12 million customers’ data publicly accessible for five years