Dubbed "NoReboot," ZecOps' proof-of-concept (PoC) attack is described as a persistence method that can circumvent the normal practice of restarting a device to clear malicious activity from memory.
Making its debut with an analysis and a public GitHub repository this week, ZecOps said that the NoReboot Trojan simulates a true shutdown while providing a cover for the malware to operate -- which could include the covert hijacking of microphone and camera capabilities to spy on a handset owner.
"The user cannot feel a difference between a real shutdown and a "fake shutdown," the researchers say. "There is no user interface or any button feedback until the user turns the phone back "on"."
The technique takes over the expected shutdown event by injecting code into three daemons: InCallService, SpringBoard, and backboardd.
When an iPhone is turned off, there are physical indicators that this has been completed successfully, such as a ring or sound, vibration, and the Apple logo appearing onscreen -- but by disabling "physical feedback," the malware could create the appearance of a shutdown while a live connection to an operator is maintained.
"When you slide to power off, it is actually a system application /Applications/InCallService.app sending a shutdown signal to SpringBoard, which is a daemon that is responsible for the majority of the UI interaction," the researchers explained. "We managed to hijack the signal by hooking the Objective-C method -[FBSSystemService shutdownWithOptions:]. Now instead of sending a shutdown signal to SpringBoard, it will notify both SpringBoard and backboardd to trigger the code we injected into them."
The spinning wheel indicating a shutdown process can then be hijacked via backboardd and the SpringBoard function can both be forced to exit and blocked from restarting again. ZecOps said that by taking over SpringBoard, a target iPhone can "look and feel" like it is not turned on, which is the "perfect disguise for the purpose of mimicking a fake power off."
Users, however, still have the option of a forced restart. This is where tampering with backboardd further comes in -- by monitoring user input, including how long buttons are held, a reboot can be simulated just before a true restart takes place, such as by displaying the Apple logo early.
"Stopping users from manually restarting an infected device by making them believe they have successfully done so is a notable malware persistence technique," Malwarebytes commented. "On top of that, human deception is involved: Just when you thought it's gone, it still pretty much there."
As the technique focuses on tricking users rather than vulnerabilities or bugs in the iOS platform, this is not something that can be fixed with a patch. ZecOps says that the NoReboot method impacts all versions of iOS and only hardware indicators could help in detecting this form of attack technique.