Pierluigi Paganini January 06, 2022

Researchers devised a sophisticated persistence technique, named NoReboot, for iOS malware that fake shut downs.

Researchers from Zecops devised a sophisticated persistence technique, named NoReboot, for iOS malware that fake shut downs while spies on the user.

The technique is based on the concept of simulating a shutdown of the iPhone when the victim attempts to turn off their device. According to the experts, the user is not aware to distinguish between a real shutdown and a “fake shutdown”.

The researchers demonstrated how to use this technique to remote microphone & camera accessed after “turning off” the phone, and “persisting” when the phone will get back to a “powered on” state.

In order to hijack the shutdown event, the researchers abuse some components, such as the InCallService system application, the SpringBoard which is responsible for the majority of the UI interaction, and BackBoard, which supports SpringBoard to handle some tasks related to hardware events (i.e. and button presses).

“We managed to hijack the signal by hooking the Objective-C method -[FBSSystemService shutdownWithOptions:]. Now instead of sending a shutdown signal to SpringBoard, it will notify both SpringBoard and backboardd to trigger the code we injected into them.” reads the analysis published by Zecops. “In backboardd, we will hide the spinning wheel animation, which automatically appears when SpringBoard stops running, the magic spell which does that is [[BKSDefaults localDefaults]setHideAppleLogoOnLaunch:1]. Then we make SpringBoard exit and block it from launching again. Because SpringBoard is responsible for responding to user behavior and interaction, without it, the device looks and feels as if it is not powered on. which is the perfect disguise for the purpose of mimicking a fake poweroff.”

When a user attempt to shutdown the device by pressing and holding the volume button, the attacker can inject its code into the daemons of the above components. SpringBoard and BackBoard could be instructed to simulate the shutdown by disabling any physical feedback while displaying the system boot animation. Physical feedbacks that can be disabled are:

• Ring/Sound from incoming calls and notifications
• Touch feedback (3D touch)
• Vibration (silent mode switch triggers a burst of vibration)
• Screen
• Camera indicator

The experts pointed out that the phone remains fully functional and is still connected to the Internet despite that all physical feedback have been disabled, this means that a spyware can still spy on the users.

The experts released a proof-of-concept (PoC) exploit and published a video PoC showing how an attacker with access to a phone could continue spying on the victim using the camera and the microphone.

“Since iOS 15, Apple introduced a new feature allowing users to track their phone even when it’s been turned off. Malware researcher @naehrdine wrote a technical analysis on this feature and shared her opinion on “Security and privacy impact”. We agree with her on “Never trust a device to be off, until you removed its battery or even better put it into a Blender.” concludes the experts.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, NoReboot)

[adrotate banner=”5″]

[adrotate banner=”13″]