Security News > 2022 > January > New Trick Could Let Malware Fake iPhone Shutdown to Spy on Users Secretly
Researchers have disclosed a novel technique by which malware on iOS can achieve persistence on an infected device by faking its shutdown process, making it impossible to physically determine if an iPhone is off or otherwise.
NoReboot works by interfering with the routines used in iOS to shutdown and restart the device, effectively preventing them from ever happening in the first place and allowing a trojan to achieve persistence without persistence as the device is never actually turned off.
Put differently, the idea is to give the impression that the device has been shut down without really shutting it down by hijacking the event that's activated when the user simultaneously presses and holds the side button and one of the volume buttons, and drags the "Slide to power off" slider.
"The malicious actor could remotely manipulate the phone in a blatant way without worrying about being caught because the user is tricked into thinking that the phone is off, either being turned off by the victim or by malicious actors using 'low battery' as an excuse."
The malware strain then forces the SpingBoard, which refers to iOS's graphical user interface, to exit, followed by commanding the BackBoardd, the daemon that handles all touch and physical button click events, to display the Apple logo effect should the user opt to turn the running phone back on, while the malicious code continues to persist.
Although no malware to date has been detected or publicly documented using a method resembling NoReboot, the findings highlight that even the iOS restart process isn't immune to being hijacked once an adversary has gained access to a target device, something that's well within the reach of nation-state groups and cyber mercenaries alike.
News URL
https://thehackernews.com/2022/01/new-trick-could-let-malware-fake-iphone.html