Security researchers have developed a pseudo-shutdown technique that allows the malware to persist even after iOS reboots. Normally, rebooting an iPhone device erases any malicious code, but ZecOps researchers have developed a security technique called “NoReboot” that allows iPhone malware to gain persistence and survive reboots.
The technology works by faking an iPhone shutdown in an attempt to trick users into believing their device has been turned off. If an attacker pulls this trick, any malware could continue to run on the device — and bad actors could spy on users with the iPhone’s camera and microphone without their knowledge.
NoReboot works by injecting malicious code into three background processes, InCallService, SpringBoard, and backboard, which are responsible for the iPhone’s reboot process. Once an attacker hijacks the restart process, the iPhone appears to the user as shut down, but fully awake and connected to the Internet. This allows attackers to do whatever they want without alerting the user.
This process can also be reversed. “NoReboot” can display a fake wake or boot process, tricking users into believing that their iPhone has actually undergone a reboot. There are no patches for the “NoReboot” technique, as it doesn’t actually exploit any vulnerabilities. To fix that, ZecOps researchers say, Apple needs to build a hardware-based indicator that shows whether the iPhone is on or off.
While “NoReboot” is not malware, the technique can be built into malicious apps as a way to evade detection and gain persistence on iOS devices. As mentioned, “NoReboot” cannot be patched. In addition, ZecOps says the technology can work on any iPhone model running any version of iOS.