A novel proof-of-concept vulnerability has been disclosed that imitates an iPhone reboot or shutdown to avoid virus removal. It’s called NoReboot, and it also enables for stealthy microphone snooping and acquiring sensitive data over a network connection.
The Story So Far
ZecOps security experts have developed a proof-of-concept programme that simulates a phone shutdown without actually doing so, unleashing harmful operations when they are least expected.
When a user pushes the Power Off button, the PoC simulates a shutdown by turning off the phone’s main indicators. It tricks the user into thinking the power is turned off, causing them to release the power button before it is supposed to be released.
When the power button is hit again, the device boot animation is displayed, which simulates the actual startup procedure.
The user is restored to an useable UI with all processes and services operating as expected, with no indication that they were duped and went through a fake shutdown/restart.
What causes it to happen?
A carefully written malware inserted on three iOS daemons imitates the shutdown process by removing all key indicators, according to the PoC.
By hooking a signal delivered to the UI interaction daemon, SpringBoard, the PoC tool hijacks shutdown events.
It sends a code that causes SpingBoard to quit and disables the device’s ability to respond to user input.
As a result, a BackBoardd daemon is utilised to display the spinning wheel as part of the shutdown procedure.
A final thought
Malware authors can deceive victims and even achieve persistence on iOS devices by using the appearance of a shutdown. The NoReboot technique relies on the fact that various social engineering hacks are meant to exploit human psychology rather than a specific technology.