This iOS malware fakes an iPhone shutdown to avoid death
PoC iOS Trojan shows how malware can avoid being removed from device memory
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Cybersecurity researchers from ZecOps have demonstrated a new Trojan for iOS devices, includingiPhones, that avoids being terminated by faking a shutdown.
Usually, an iOS malware can be eliminated by rebooting a device, as that clears it from memory. However, amalwarestrain could potentially trick the victim into thinking the device was shut down when, in fact, it wasn’t, that way remaining operational.
The proof of concept malware, named “NoReboot”, follows a couple of steps. First, the reboot trigger: iOS users need to hold the power button and either volume button, until the slider with the reboot option appears. Then, they need to interact with the slider to initiate the shutdown.
Physical detection impossible
This is the first process that is hijacked. Instead of actually triggering the shutdown, the malware will send a specially crafted code, making the device non-responsive to user input. Then, it will trigger the shutdown process indicator (the spinning wheel), and start monitoring for physical button clicks and screen touches.
That way, the malware will know when the victim tries to “turn on” the device, and prevent them from pressing the power button for too long and actually triggering a hard reset.
“This will exit all processes and restart the system without touching the kernel. The kernel remains patched. Hence malicious code won’t have any problem continuing to run after this kind of reboot. The user will see theAppleLogo effect upon restarting,” the researchers explained.
As a result, it is impossible for users to physically detect if the device had been turned off, or not. Describing it as a trick, and not actual malware that exploits flaws, BleepingComputer believes Apple will not bother patching it up.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
It remains unclear how the Trojan handles other potential red flags, such as the SIM PIN prompt after every restart, or what happens if the user decides to shut the device down by going to Settings>General>Shut Down.
Via:BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
This new phishing strategy utilizes GitHub comments to distribute malware
Should your VPN always be on?
Anker Nebula Mars 3 review: A powerful and truly portable projector
