Threat actors can simulate iPhone reboots and keep iOS malware on a device

In a piece of groundbreaking research published on Tuesday night, security firm ZecOps said that it found a way to block and then simulate an iOS restart operation, a technique that they believe could be extremely useful to attackers who may want to trick users into thinking they rebooted their device and as a result, maintain access for their malware on that infected system.

The technique is of extreme importance and gravity because of the way the iPhone malware landscape has evolved in recent years, where, due to advances in the security of the iOS operating system, malware can't achieve boot persistence as easily as it once did.

Because of this, today, most iOS malware strains focus on infecting a device, gaining root access, and harvesting and spying on the user until victims restart their iPhones and iPads, after which the attacker tries to infect the victim again.

As a result, many security experts have recommended over the past year that users who might be the target of malicious threat actors regularly reboot devices in order to remove backdoors or other implants.

And some more generic iOS security tips: reboot your device daily, to remove non-persistent implants. Create regular iTunes backups, to check them later for signs of compromise. Trigger sysdiags regularly and save them.

— Costin Raiu (@craiu) September 14, 2021

ZecOps presents new NoReboot technique

But in a blog post on Tuesday, ZecOps said that the iOS restart process isn't immune to being hijacked once an attacker has gained access to a device.

The researchers said they developed a technique they called NoReboot that taps into SpringBoard (the Apple iOS UI app, aka the Home Screen) and Backboardd (the daemon behind SpringBoard) to detect and intercept a phone restart command (such as pressing the Volume Down + Power buttons) and then disabling the SpringBoard UI instead of shutting down the entire OS.

This effectively leaves the iPhone screen with no UI, mimicking the state a device is usually in when it is turned off.

However, the device is still powered on, but without a user interface. To prevent the device from ringing or vibrating, ZecOps said its NoReboot proof-of-concept code also disables features such as 3D Touch feedback, camera LED indicators, and vibration and sound for any incoming calls or notifications.

The proof-of-concept code also includes a fake boot-up screen to complete the illusion of a full iOS reboot.

NoReboot can "theoretically" work with forced restarts too

ZecOps said the NoReboot technique works with regular restarts but does not work with forced restarts, which take place at a hardware level, rather than software.

"We have not found an easy way to hijack the force restart event. This event is implemented at a much lower level," ZecOps researchers said.

However, ZecOps researchers warn that this does not mean users should believe they are safe if they perform a forced restart.

Because the forced restart event requires users to rapidly press the Volume Up and Volume Down buttons multiple times and then long-press the Power Button, an attacker could watch for a pattern that resembles a forced restart, block it before it finishes, and then perform the NoReboot attack instead.

The discovery and revelation of the new NoReboot attack highlights that users should not solely rely on iOS reboots to remove malware from their device but should primarily rely on classic security apps and forensics tools to identify and remove such threats instead.

At the time of writing, no iOS malware has been seen or publicly documented using a trick resembling NoReboot.