The ‘NoReboot’ technique is the ultimate in persistence for iPhone malware, preventing reboots and enabling remote attackers to do anything on the device while remaining completely unseen.
In the world of mobile malware, simply shutting down a device can often wipe out any bad code, given that persistence after rebooting is a challenge for traditional malicious activity. But a new iPhone technique can hijack and prevent any shut-down process that a user initiates, simulating a real power-off while allowing malware to remain active in the background.
The stealthy technique, dubbed “NoReboot” by researchers, is “the ultimate persistence bug,” according to a ZecOps analysis this week. The firm also debuted a proof of concept (PoC) showing how to use a faked shutdown to disguise remote spying activity (see below).
The tactic provides a perfect cover for malicious activity, since an infected user might think “that the phone has been powered off, but in fact, it’s still running,” researchers explained. “The NoReboot approach simulates a real shutdown. The user cannot feel a difference between a real shutdown and a fake shutdown. There is no user-interface or any button feedback until the user turns the phone back ‘on’…we cannot, and should not, trust a normal reboot.”
Faking an iPhone Shutdown
Typically, users turn off their iPhones by holding down the volume down and power button at the same time, then sliding the “power off” slider on the touchscreen. After that, the only real indication that the phone is actually off is the fact that the screen is unresponsive and doesn’t “wake up” when tapped or when the side button is clicked; and, of course, calls, text and app notifications cease.
To simulate this state, NoReboot starts by injecting code into three daemons responsible for controlling the shutdown event, according to ZecOps: InCallService, SpringBoard and backboardd.
“When you slide to power off, it is actually a system application /Applications/InCallService.app sending a shutdown signal to SpringBoard, which is a daemon that is responsible for the majority of the UI interaction,” researchers explained, in the analysis. “We managed to hijack the signal by hooking the Objective-C method -[FBSSystemService shutdownWithOptions:]. Now instead of sending a shutdown signal to SpringBoard, it will notify both SpringBoard and backboardd to trigger the code we injected into them.”
The code forces SpringBoard to exit, also blocking it from launching again.
“Because SpringBoard is responsible for responding to user behavior and interaction, without it, the device looks and feels as if it is not powered on,” according to ZecOps.
At this point, there’s no physical indication that the iPhone is on, but it remains fully awake and connected to the internet. That allows nefarious types to wantonly do what they wish on the device without fear of discovery. In the ZecOps PoC, researchers were able to eavesdrop on test users via both the camera and the microphone, all while the phone appeared to be turned off.
“In reality, malicious actors can do anything the end user can do, and more,” according to the analysis.
ZecOps’ PoC can be found on GitHub, and here’s a video demo of it:
From a practical perspective, researchers pointed out that the technique could be built into malware designed to detect when a user is trying to turn off the phone; or the malware could simulate a “low battery” state to use as an excuse for a “shutdown.”
What Happens when the iPhone is Powered On?
When a user goes to turn the phone back on, the normal routine is that the Apple logo appears as the phone wakes up.
NoReboot can simulate this as well, to maintain the illusion and convince the user that the iPhone has, indeed, been successfully powered off and then restarted. Once again, this is accomplished by hijacking the process through code injection.
“When SpringBoard is not on duty, backboardd is in charge of the screen,” researchers explained. “[It] logs the exact time when a button is pressed down [to restart the device], and when it’s been released.”
NoReboot intercepts this process, they noted: The button press event is recorded and inserted into a global dictionary object (BKEventSenderUsagePairDictionary). The insertion can be hooked using the Objective-C method.
“The file will unleash the SpringBoard and trigger a special code block in our injected dylib,” according to ZecOps. “What it does is to leverage local SSH access to gain root privilege, then we execute /bin/launchctl reboot userspace. This will exit all processes and restart the system without touching the kernel. The kernel remains patched. Hence malicious code won’t have any problem continuing to run after this kind of reboot.”
Is There a Patch for NoReboot?
ZecOps researchers noted that even though they call the issue a “persistence bug,” it can’t actually be patched because “it’s not exploiting any…bugs at all — only playing tricks with the human mind.” Via Twitter, the firm said that the technique works on every version of iPhone, and to prevent it, Apple would need to build in a hardware-based indicator for iPhone sleep/wake/off status.
To protect themselves, iPhone users should run standard checks for malware and trojanized apps, and take the usual vetting precautions when downloading and installing new apps.
Password Reset: On-Demand Event: Fortify 2022 with a password-security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. Register & stream this FREE session today – sponsored by Specops Software.