NoReboot: The Ultimate Persistence Bug
Persistence bugs are a type of malware that remains on infected devices or networks for a long time. Zec0ps’ blog post states that persistence bugs for iOS devices are hard to find. This is because of a limited attack surface and constant checks by Apple’s security team. However, the firm claims that the discovered malware named “NoReboot” is the ultimate persistence bug. Usually, a simple reboot can remove malware from infected iOS devices. However, since an infected device does not actually shut down, the malware remains on it. Zec0ps calls it “a bug that cannot be patched because it’s not exploiting any persistence bugs at all — only playing tricks with the human mind.”
How Does NoReboot Work?
The malware aims to simulate a convincing device shutdown to fool the user. It does so by controlling the event that is activated when a user simultaneously holds and presses the side and volume button, and then drags the “power-off” slider. NoReboot simulates the shutdown by controlling three iOS daemons, (i.e., background computer programs). These are InCallService, SpringBoard, and BackBoardd. The three daemons are injected with specially crafted code which disables the audio-visual cues one associates with a switched-on device. This includes the screen, vibration, sounds, camera indicator, and touch feedback.
Researchers Concerned about NoReboot’s Potential
Zec0ps discovery highlights that malicious actors can hijack the iOS restart process after gaining access to the device. As evidenced by last year’s pegasus controversy, such access is well within the playbook of nation-state groups, and cybercriminals. The firm’s research team shared their concerns on NoReboot, and its potential for misuse while demonstrating the hack. “Despite that we disabled all physical feedback, the phone still remains fully functional and is capable of maintaining an active internet connection,” Zec0p’s researchers stated. “The malicious actor could remotely manipulate the phone in a blatant way without worrying about being caught because the user is tricked into thinking that the phone is off, either being turned off by the victim or by malicious actors using ‘low battery’ as an excuse,” they added. Furthermore, hackers can use NoReboot to simulate a false iPhone “force restart.” An attacker could hijack this process by making the Apple logo appear a few seconds earlier, causing the user into releasing the side button prematurely. If you found this story interesting, we recommend you take a look at our article on trojans.
