Cybersecurity researchers from ZecOps have demonstrated a new Trojan for iOS devices, including iPhones, that avoids being terminated by faking a shutdown.
Usually, an iOS malware can be eliminated by rebooting a device, as that clears it from memory. However, a malware strain could potentially trick the victim into thinking the device was shut down when, in fact, it wasn’t, that way remaining operational.
The proof of concept malware, named “NoReboot”, follows a couple of steps. First, the reboot trigger: iOS users need to hold the power button and either volume button, until the slider with the reboot option appears. Then, they need to interact with the slider to initiate the shutdown.
Physical detection impossible
This is the first process that is hijacked. Instead of actually triggering the shutdown, the malware will send a specially crafted code, making the device non-responsive to user input. Then, it will trigger the shutdown process indicator (the spinning wheel), and start monitoring for physical button clicks and screen touches.
That way, the malware will know when the victim tries to “turn on” the device, and prevent them from pressing the power button for too long and actually triggering a hard reset.
“This will exit all processes and restart the system without touching the kernel. The kernel remains patched. Hence malicious code won't have any problem continuing to run after this kind of reboot. The user will see the Apple Logo effect upon restarting,” the researchers explained.
As a result, it is impossible for users to physically detect if the device had been turned off, or not. Describing it as a trick, and not actual malware that exploits flaws, BleepingComputer believes Apple will not bother patching it up.
It remains unclear how the Trojan handles other potential red flags, such as the SIM PIN prompt after every restart, or what happens if the user decides to shut the device down by going to Settings>General>Shut Down.
- You might also want to check the list of best identity theft protection services available right now
Via: BleepingComputer (opens in new tab)