A novel technique discovered by researchers in which malware on iOS can achieve persistence on an infected device by faking its shutdown process, making it impossible to physically determine if an iPhone is off or otherwise, dubbed “NoReboot” that block and simulate an iOS rebooting operation, deceiving the user into believing that the phone has been powered off when it’s still running.
Apple said it’s an ultimate persistence bug that cannot be patched because it’s not exploiting any persistence bugs at all only playing tricks with the human mind.
NoReboot works by interfering with the routines used in iOS to shut down and restart the device, effectively preventing them from ever happening and allowing a trojan to achieve persistence without persistence as the device is never actually turned off. By injecting specially crafted code onto three iOS daemons, namely the InCallService, SpringBoard, and Backboardd, to fake a shut down by disabling all audio-visual cues associated with a powered-on device, including the screen, sounds, vibration, the camera indicator, and touch feedback.
Despite that we disabled all physical feedback, the phone remains fully functional and can maintain an active internet connection. The malicious actor could remotely manipulate the phone in a blatant way without worrying about being caught because the user is tricked into thinking that the phone is off, either being turned off by the victim or by malicious actors using ‘low battery’ as an excuse.
The malware strain then forces the SpingBoard, which refers to iOS’s graphical user interface, to exit, followed by commanding the BackBoardd, the daemon that handles all touch and physical button click events, to display the Apple logo effect should the user opt to turn the running phone back on, while the malicious code continues to persist.
This technique could be theoretically extended to manipulate a force restart associated with an iPhone by deliberately causing the Apple logo to appear a few seconds earlier when such an event is recorded via the Backboardd, fooling the victim into releasing the side button without genuinely triggering a force restart.
There is no evidence of malware publicly documented using a method resembling NoReboot, the findings highlight that even the iOS restart process isn’t immune to being hijacked once an adversary has gained access to a target device, something that’s well within the reach of nation-state groups.
PoC for the same available in the link