Researchers have disclosed a novel technique by which malware on iOS can achieve persistence on an infected device by faking its shutdown process, making it impossible to physically determine if an iPhone is off or otherwise.
The discovery — dubbed “NoReboot” — comes courtesy of mobile security firm ZecOps, which found that it’s possible to block and then simulate an iOS rebooting operation, deceiving the user into believing that the phone has been powered off when, in reality, it’s still running.
The San Francisco-headquartered company called it the “ultimate persistence bug […] that cannot be patched because it’s not exploiting any persistence bugs at all — only playing tricks with the human mind.”
NoReboot works by interfering with the routines used in iOS to shutdown and restart the device, effectively preventing them from ever happening in the first place and allowing a trojan to achieve persistence without persistence as the device is never actually turned off.
This is accomplished by injecting specially crafted code onto three iOS daemons, namely the InCallService, SpringBoard, and Backboardd, to feign a shut down by disabling all audio-visual cues associated with a powered-on device, including the screen, sounds, vibration, the camera indicator, and touch feedback.
Put differently, the idea is to give the impression that the device has been shut down without really shutting it down by hijacking the event that’s activated when the user simultaneously presses and holds the side button and one of the volume buttons, and drags the “slide to power off” slider.
images from Hacker News