Malware is Prompting Fake Shutdowns on iPhones
Table of Contents
- By David Lukic
- Published: Jan 07, 2022
- Last Updated: Mar 18, 2022
A new version of malware is forcing the fake shutdown of iPhones, providing an opportunity for hackers to spy on users secretly. Digital security researchers recently detailed the novel technique behind the hack. iOS-based malware persists on a target device, making it appear as though the phone has turned off and making it impossible for the user to determine if the phone is on, off, or in the process of shutting off.
What is the Name of the Attack?
For the moment, digital security researchers with the mobile security specialist company ZecOps are naming the attack “NoReboot.” The group determined hackers can block and subsequently simulate the rebooting of iOS devices, making it appear as though the phone is no longer functional. However the phone is still working.
ZecOps representatives described the phony shutdown trick as a “persistence bug” that is impossible to patch as it does not exploit persistence bugs. Rather, the attack focuses on a surface-level trick played on the user’s psyche.
Is NoReboot Similar to Other Malware?
Digital security specialists insist the NoReboot malware is highly unique. No other similar malware has been identified.
How Does the Attack Work?
The NoReboot attack interferes with the routines of the iOS for shutting down and restarting a device, ultimately stopping those routines from occurring. The attack allows a trojan to remain functional despite the device not being turned off. This persistence occurs with an injection of unique code on three specific daemons within iOS. Those daemons are Backboardd, SpringBoard, and InCallService.
The daemons create the impression that the device has turned off by disabling both visual and audio responses that would otherwise occur when the device is in the “on” position. This means the phone’s camera, touch feedback, vibrations, screen, and sounds are non-functional. In short, the attack alters the event that occurs when the iPhone user presses the side buttons in unison to turn off the device.
Do Affected Phones Still Work?
Indeed, iPhones affected by the hack still function. Though the physical feedback is disabled, the phone still works and even remains hooked up to the web through its wireless connection. However, the attack is a problem as it empowers the hacker to remotely alter the phone without any fear of being identified as the phone owner assumes the phone is off. The attack is also advanced to the point that it can create the impression that the phone is low on battery.
The malware also prompts SpringBoard, meaning the graphic user interface, to exit. The BackBoardd is then commanded. BackBoardd is the daemon responsible for the phone’s physical click events. The Apple logo is displayed if the user turns the phone back on, setting the stage for the nasty code to continue causing problems. It is also possible for the malware to spur a lengthy forced restart that creates the appearance of the Apple logo for a couple of seconds earlier than normal, prompting the target user to release the power button without actually triggering a restart of the phone.