Researchers have devised a new method for imitating an iPhone shutdown or reboot, avoiding malware removal and allowing hackers to discreetly snoop on microphones and get sensitive data through a live network connection.
Earlier, when an iOS device used to get infected by malware, it could be eliminated by simply restarting the device. Doing so would wipe the infection from memory. On the other hand, this method hooks the shutdown and reboot processes to prevent them from ever happening, allowing malware to stay because the device is never switched off. This attack, dubbed “NoReboot” by the researchers, cannot be fixed by Apple since it does not exploit any iOS weaknesses and depends on human-level deception.
To restart the iPhone, a person must press and hold power and volume buttons together until the reboot option shows on the slider, then wait around 30 seconds for the process to finish. When an iPhone is turned off, the screen goes black naturally, the camera is turned off, 3D touch feedback does not respond to long presses, call & notification sounds are muted, and all vibrations are turned off.
ZecOps security researchers have created a trojan PoC (proof of concept) program that can inject specially designed code into three iOS daemons to simulate a shutdown by switching off all these indicators.
By hooking the signal delivered to the “SpringBoard,” the malware hijacks the shutdown event (user interface interaction daemon). Instead of the intended signal, the trojan will transmit a code that will force “SpringBoard” to leave, rendering the device inoperable. Because devices that enter a shutdown state do not receive user inputs, this is the ideal disguise in this scenario.
The “BackBoardd” daemon is then told to show the spinning wheel, which signals that the shutdown procedure is in progress. Abusing “BackBoardd,” an iOS daemon that collects physical button click and screen touch events with timestamps, offers the trojan the ability to know when the user attempts to “turn on” the phone. By watching these behaviors, the user can be tricked into pressing the button sooner than they should, avoiding a forced restart.
The next phase in the “NoReboot” attack is described by ZecOps as follows:
“The file will unleash the SpringBoard and trigger a special code block in our injected dylib. What it does is to leverage local SSH access to gain root privilege, then we execute /bin/launchctl reboot userspace.”
“This will exit all processes and restart the system without touching the kernel. The kernel remains patched. Hence malicious code won’t have any problem continuing to run after this kind of reboot. The user will see the Apple Logo effect upon restarting.”
“This is handled by backboardd as well. Upon launching the SpringBoard, the backboardd lets SpringBoard take over the screen.”
The user is returned to a regular UI, with all processes and services functioning normally and no sign that they have just completed a simulated reboot. ZecOps has also prepared a video demonstrating how the NoReboot approach may easily fool anyone into thinking their gadget has been switched off.