iPhone Malware Can Fake Shutdown to Spy on Users


Security researchers discovered a new technique that can fake a shutdown or reboot on an iPhone. This technique can prevent malware from being removed and make it easier for hackers to spy on users via microphones and cameras.

Usually, malware on iPhone can be easily removed by simply turning off or rebooting the device. But this new technique can hijack and prevent the shutdown process by mimicking the process while allowing the malware to run silently.

According to ZecOps analysis, the technique called 'NoReboot' by researchers is the most advanced persistence bug because an infected user will not know that the device is not actually dead even if it is disabled.

"The NoReboot approach simulates a real shutdown. Users cannot feel the difference between a real shutdown and a fake shutdown," ZecOps wrote in its analysis, as quoted from ThreatPost, Sunday (9/1/2022).

"There's no interface or feedback button whatsoever until the user restarts the phone... we can't, and shouldn't, trust a normal reboot."

Powered by AdSparc

Usually iPhone users turn off their cellphones by pressing the volume down button and the power button at the same time, then sliding the 'power off' slider on the screen. After that, the only indication that the phone is dead is the screen being unresponsive and inactive when tapped.

To simulate this condition, NoReboot starts by injecting code into the three daemons responsible for the shutdown process, namely InCallService, SpringBoard, and backboardd.

This malware hijacks the shutdown process by hooking a signal sent to SpringBoard. Instead of a supposed signal, this malware will send code that forces SpringBoard to stop making the device unresponsive to user input.

After that Backboardd is instructed to display a spinning wheel which indicates the shutdown process is running. Backboardd is another daemon that records physical buttons when clicked and touches on screen with timestamps.

By abusing this daemon, malware has the power to know when a user tries to activate the phone. By monitoring this process, users can be tricked into releasing the power button early and canceling the shutdown or reboot process.

At this point, there is no physical indication that the iPhone is on but is still awake and connected to the internet. This allows bad actors to do what they want on the phone without the user getting caught.

In a proof of concept (PoC) that was shown by ZecOps, they managed to eavesdrop on the user through the camera and microphone, even though the iPhone was apparently turned off.

ZecOps researchers say that although the issue is called a persistence bug, it can't be fixed by Apple because it doesn't exploit any bugs. ZecOps says this trick can be executed on all versions of the iPhone and to prevent it, Apple should create a physical indicator to show the status of the iPhone when it sleeps or turns off.

To protect their devices, iPhone users should check for malware and trojans that may be residing in apps, and be careful when downloading and installing new apps.

Previous Post Next Post