iOS malware can fake iPhone shutdowns to sniff for camera, microphone

iPhone

Researchers have developed a new technique that falsifies a shutdown or reboot of iPhones, preventing malware from being removed and allowing hackers to secretly snoop on microphones and receive sensitive data over a live network connection.

Historically, when malware infects an iOS device, it can be removed simply by restarting the device, clearing the malware from memory.

However, this technique disables the shutdown and restart routines to prevent them from ever happening, allowing malware to gain persistence, as the device never actually shuts down.

Because this attack, which researchers call “NoReboot”, does not exploit any bugs on iOS and instead relies on human-level deception, it can not be patched by Apple.

Simulates a convincing restart

To restart the iPhone, press and hold the power button and one of the volume buttons until the slide with the restart setting appears, and then wait for about 30 seconds for the operation to complete.

When an iPhone is turned off, its screen becomes naturally dark, the camera is turned off, 3D touch feedback does not respond to long presses, sounds from calls and notifications are turned off, and all vibrations are absent.

Security researchers from ZecOps have developed a Trojan PoC (proof of concept) tool that can inject specially crafted code onto three iOS demons to forge a shutdown by disabling all of the above indicators.

Hijacking of three iOS demons
Hijacking of three iOS demons
Source: ZecOps

The Trojan hijacks the shutdown event by connecting the signal sent to the “SpringBoard” (user interface interaction daemon).

Instead of the expected signal, the Trojan will send a code that will force the “SpingBoard” to quit, causing the device not to respond to user input. This is the perfect disguise in this case because devices that go into a shutdown mode obviously no longer accept user input.

Code injected on springboard
Code injected on springboard
Source: ZecOps

Next, the “BackBoardd” daemon is commanded to display the spinning wheel, indicating that the shutdown process is in progress.

“BackBoardd” is another iOS demon that logs physical button clicks and screen touch events with timestamps, so abuse of it gives the Trojan the power to know when the user is trying to “turn on” the phone.

By monitoring these actions, the user may be tricked into releasing the button earlier than they should, and avoiding an actual forced restart.

ZecOps describes the next step in the “NoReboot” attack as follows:

The file will release the SpringBoard and trigger a special code block in our injected dylib. What it does is utilize local SSH access to get root privilege, then we perform / bin / launchctl restart the user area.

This will end all processes and restart the system without touching the kernel. The core remains patched. Therefore, malicious code will have no problem continuing to run after this kind of reboot. The user will see the Apple logo effect at restart.

This is also handled by backboardd. When the springboard is started, the backboard lets the SpringBoard take over the screen.

backboardd provides display back to springboard
backboard provides screen control back to springboard
Source: ZecOps

The user returns to a regular user interface with all processes and services running as expected, without any indication that they have just undergone a simulated reboot.

Zecops has made a video showing the NoReboot technique in action, illustrating how it can easily trick anyone into thinking their device has been turned off.

Never rely on a device being completely turned off

Apple introduced a new feature in iOS 15 that allows users to find their iPhones via ‘Find My’ even when they’re off.

Apple did not want to explain exactly how it works, but researchers found that it is achieved by keeping the Bluetooth LPM chip active and running autonomously, even when the iPhone is off.

While all user interaction with the device is turned off, the Bluetooth chip continues to advertise its presence to nearby devices by operating in low power mode, albeit at intervals greater than the standard 15 minutes.

This illustrates that you can never trust a device to be completely turned off, even when you turn off your phone.

Likewise, the “NoReboot” technique makes it impossible to physically detect whether an iPhone is off or not, in terms of all the external looks your device appears to have shut down.

Furthermore, malware developers and hackers can now gain persistence on iOS devices with this technique, where the usual recommendation to restart an iPhone to remove infections no longer works.

Leave a Comment

%d bloggers like this: