A new Trojan horse blamed on iOS and theiPhone
was discovered by cybersecurity researchers. This would be able to simulate the (electrical) extinction of the device and use its camera, even when it is off.
It was a Californian start-up specializing in the analysis of mobile cyberattacks, ZecOps, which made this discovery. She has successfully demonstrated that new malware can be exploited on iOS and allows attackers to do things ” funny “. This new Trojan horse is indeed capable of giving the illusion to its user that his iPhone is turned off, while he is actually spying on him using his microphone and his camera. It’s hard to beat when it comes to persistent malware.
You thought your iPhone was off …
The theory (but you know what they say!) Is that generally, after removing malware from your iOS device, you just have to restart the device to permanently erase traces of the malware from its memory. Except that the ZecOps team of researchers realized that the iPhone was fallible at this level, and that not exploiting a flaw in the iOS platform, it cannot be corrected by Apple.
What is the originality of this malware, whose effectiveness ZecOps has managed to prove? We could almost speak of magic, because this trojan can prevent the user from manually restarting their infected iPhone, while making its owner believe that the phone has been turned off and then restarted. This sleight of hand, which makes the malware a persistent little devil, gave it its name: “NoReboot”.
But how does it manage to prevent the device from actually shutting down while simulating the restart? The specialists actually arrive at ” hijack the device shutdown event “. In fact, instead of shutting down the iPhone, the malware will inject code into iOS daemons: InCallService, SpringBoard, and BackBoardd. Usually, InCallService sends a shutdown signal to SpringBoard, when you manually turn off your iPhone. Except here, InCallService doesn’t send the signal to SpringBoard, but it asks SpringBoard and BackBoardd to execute the injected code we were talking about.
Malware that uses trickery and circumvention to give the illusion of shutting down and restarting the device
The scheme works until the end, and the Trojan horse continues the shutdown process, until the spinning wheel, which disappears very quickly and creates this illusion of the switched off phone. Except that the iPhone is still on and connected to the Internet, even if it is no longer responding. In reality, only the audio and visual signals are deactivated, such as the screen, the vibrator or the sound.
Once the sleight of hand has been validated, what can the attackers do? While you think your phone is off, the attacker can simply use your camera and microphone. The malware, which is more of bypassing, of deception than of the iOS vulnerability, is then content with a role – already serious enough – of spy. Especially since NoReboot can also simulate restarting the device.
The Trojan still plays with iOS daemons. If the iPhone owner decides to restart the still running phone, the Backboardd, locked to user input, can simulate a restart, even going so far as to display the Apple logo, as it displayed the wheel that turns at the time of false extinction. By pretending to shutdown and restart the device, the malware is thus persistent.
Malwarebytes explains for its part that “ It’s only a matter of time before hackers cracking down on iOS start integrating it into their malware kits. “. In case you were worried about being compromised, your persistence will be stronger than that of the malware. So even after the Apple logo appears, hold down the restart buttons and skip over the deception, which will end up really shutting down and then restarting the iPhone.
On the same subject :
Predator: surprise, Pegasus is not the only spyware targeting politicians, activists and journalists
Sources: GitHub-ZecOps
, Malwarebytes
2