NoReboot attack fakes iOS phones shutdown to spy on users

INTRODUCTION

Recently, a brand new technique that fakes iPhone shutdowns to perform spying has been discovered by researchers in all iOS versions. The attack NoReboot is a persistence technique that could stay away from the ordinary practice of restarting an iPhone to clear malicious activity from memory. The NoReboot Trojan simulates a true shutdown to provide a cover for the malware to perform, which could include the covert hijacking of microphone and camera capabilities to spy on a handset owner.

If NoReboot attack is performed the user cannot feel a difference between a real shutdown and a fake shutdown. When an iPhone is turned off, there are physical indicators that shows it has completed successfully, such as a ring or sound, vibration, and the Apple logo appearing onscreen, But by disabling “physical feedback,” the malware could create the appearance of a shutdown while a live connection to an operator is maintained in the background.

Also, the spinning wheel that indicates a shutdown process can be hijacked via backboardd ( a daemon used to handle events from the hardware, such as touches, button presses, and accelerometer information) and the SpringBoard function that can both be forced to exit and block from restarting the handset again. By taking over SpringBoard, the target iPhone can “look and feel” like it is not turned on, which is the best trick for the purpose of mimicking (imitating or copy) a fake power off.

 

CAUSE OF THE FLAW

The NoReboot takes over the expected shutdown event by injecting code into three services:-InCallService, SpringBoard, and backboardd. When a user slides to power off his handset, it is actually a system application /Applications/InCallService.app sending a shutdown signal to SpringBoard, which is a daemon that is responsible for the majority of the UI interaction. And to hijack this signal, the Objective-C method -[FBSSystemService shutdownWithOptions:] needs to be hooked. Now instead of sending a shutdown signal to SpringBoard, it’s going to notify both SpringBoard and backboardd to trigger the code that is injected into them.

But, users still have the option of a forced restart. That is where tampering with backboardd comes in by monitoring user input, including how long buttons are held, and a reboot can be simulated just before a true restart takes place, such as by displaying the Apple logo early. Also, the NoReboot Malware prevents users from manually restarting the device, making them believe that they have done something wrong.

 

OUR RECOMMENDATIONS

  • As the NoReboot technique focuses on tricking users rather than vulnerabilities or bugs in the iOS platform, this is not something that can be fixed with a patch. The NoReboot method impacts all versions of iOS, and only hardware indicators could help in detecting this type of attack techniques.

 

  • Users are recommended to reboot their device daily to remove non-persistent implants.

 

  • Create regular iTunes backups to check them later for signs of compromise.

 

  • Trigger sysdiags (sysdiagnose is a utility on iOS devices used to gather system-wide diagnostic information) regularly and save them.

 

  • Users can also install apps like Access Dots, by using these apps, they will get notified whenever their camera and microphone are accessed in the background.