"Malware Can Fake iPhone Shutdown via 'NoReboot' Technique"

Researchers at mobile security firm ZecOps have discovered how a piece of iOS malware can achieve "persistence" on a device by faking its shutdown process.  Malware designed to target iPhones is not uncommon, but many of these threats are not capable of staying on a device after it has been rebooted, the researchers noted.  The researchers stated that instead of developing a sophisticated persistence exploit for their malware, threat actors could simply monitor the victim's actions and simulate a shutdown of the iPhone when the victim attempts to turn off their device.  ZecOps has dubbed the method "NoReboot" and described it as the "ultimate persistence bug" that cannot be patched.  The researchers found that when a user initiates a shutdown event by pressing and holding the volume button until the "power off" slider appears, the adversary can inject their code into the InCallService, SpringBoard, and BackBoard daemons.  Instead of shutting down the device, the attacker can get SpringBoard and BackBoard to make it look like the device has been powered off by disabling all physical feedback, including the screen, sounds, vibration, the camera indicator, and touch feedback.  The attacker can display the system boot animation when the user wants to power on the iPhone to avoid raising suspicion.  ZecOps has made available a proof-of-concept (PoC) exploit, and it has published a video showing the method in action.  The video shows how an attacker with access to a phone could continue spying on the victim while the device appears to be powered off.  The researchers stated that vendors that are interested in fixing this issue should provide a hardware indicator if the phone is powered on/off, and similarly for the microphone and camera.
 

SecurityWeek reports: "Malware Can Fake iPhone Shutdown via 'NoReboot' Technique"