A new proof-of-concept (PoC) exploit has been demonstrated that fakes a reboot or shutdown of iPhones to prevent malware from being removed. Called NoReboot, it further allows secret snooping on microphones and obtaining sensitive data using the network connection.

What has been discovered

Security researchers from ZecOps have created a PoC tool that simulates a shutdown of phones, without actually doing so, thus triggering the malicious activities when it is least expected.
  • When a user presses the Power Off button, the PoC fakes a shutdown by disabling key indicators of the phone. It makes the user think that the power is off and they release the power button before it was meant to.
  • When the power button is pressed again, it also displays the device boot animation, which gives an impression of the actual boot process.
  • After observing a fake shutdown/restart, the user is returned to a usable UI with all processes and services running as expected, with no sign that they are fooled and went through a fake restart.

How does it happen

The PoC includes a specially crafted code injected on three iOS daemons that fake the shutdown process by disabling all key indicators.
  • The PoC tool hijacks the shutdown events by hooking a signal sent to the UI interaction daemon, SpringBoard.
  • It sends a code forcing SpingBoard to exit and make the device non-responsive to user input.
  • Consequently, a BackBoardd daemon is used to show the spinning wheel for displaying the ongoing shutdown process.

Concluding note

Using the visual pretense of the shutdown, malware creators can fool victims and even gain persistence on iOS devices. NoReboot technique counts on the fact that several social engineering hacks are designed not to target a specific technology, but to exploit human psychology itself.

Cyware Publisher