New iOS malware can fake iPhone shutdowns to spy on users secretly

The new trick allows iPhone shutdowns and camera, the microphone can be used to spy on people

Malware can fake the shutdown to remain undetected and spy on users

Researchers disclosed the new method that malware on iOS can use to ensure persistence by faking the shutdown of the system. The process makes it impossible to physically determine if the iPhone is off or not, so the spyware can run.^[1]

The discovery is named NoReboot and comes from the ZeCops mobile security firm.^[2] This technique fakes the shutdown or reboot, so the malware is not removed and hackers can secretly snoop via microphones, camera. Attackers might access sensitive data via a live network connection.

It is an advanced technique because generally, once the malware is infecting iOS devices, the malware can be removed by restarting the machine. The intruder gets cleared from the memory this way.^[3] The new tactic prevents this allowing malware to achieve goals since the device is never really turned off.

Unfortunately, this is not vulnerability exploitation or an error within the operational system. Apple cannot do anything about it, and patches cannot help to avoid this issue related to human-level deception and convincing users.

Misleading simulation of the shutdown

Restarting the iPhone starts with pressing and holding the power button and one of the volume buttons until the slider with the options appear. Roughly 30 seconds go by and the action is complete. The screen should go black when the device is shut down. The camera also gets turned off and the touch feedback should not respond to long presses. All the sounds from calls or different notifications get muted as well as vibrations.

However, researchers managed to develop the proof of concept^[4] tool that can prove how vulnerable devices might be. The tactic injecting the specially crafted code onto iOS devices to fake the shutdown by disabling particular indicators. The malware hijacks the shutdown process and sends the code forcing the device to appear non-responsive to ures input.

This is the disguise for malware to force the fake device shutdown state and users think the device is inactive. Even the spinning wheel icon is delivered to the screen, so the user thinks that the shutdown process is initiated properly. The particular iOS daemon logs physical button touches to collect information about users' attempts to turn the device on. This way hackers can further deceive the person into releasing the button before the restart is forced, so malware activities continue to run smoothly.

Do not fall for the trick, and make sure to turn off the device fully

Ne NoReboot attack triggers more codes to access root privileges and execute various actions. It can also exit various processes and restart the system by not removing the malware. This way further deceives the user and continues with malicious attacks.

Hence malicious code won't have any problem continuing to run after this kind of reboot. The user will see the Apple Logo effect upon restarting.

Once the user returns to the device it works as it is supposed to and processes run as expected even though the reboot only was a simulation. It proves that even though many speculate that Apple devices are immune to threats, this is not true.^[5] These findings show that you can never trust a device that is not entirely powered off. Even if you were the one that shut down the device.