Security researchers have posted proof-of-concept code of an iOS spoof that hides the reboot process. That makes it more difficult for a user to reboot a phone, allowing spreaders to keep malware on a device.
The code was created by ZecOps, which posted the proof-of-concept on GitHub. It is a trojan that the researchers call NoReboot. It is a tool that hides the restart of an iPhone. The researchers say that’s interesting for malware distributors, because it reduces the need for persistence.
Many types of malware disappear from a phone after it reboots; persistent malware is much harder to create and therefore rarer and more valuable. The researchers are spoofing the reboot process, making it look like a phone reboots or is even turned off but in reality continues to work. It is clearly a spoof and not a manipulation of the system. Therefore, it is not an iOS problem that Apple can solve.
The researchers say they can inject code into three daemons that are used when rebooting. Those are IncallService, SpringBoard and finally Backboardd. The first is the slider that users see when they try to reboot an iPhone using the power and volume buttons. Springboard is the iOS user interface process. By sending code there, the trojan can temporarily disable Springboard. As a result, users can no longer provide input on the screen.
Finally, Backboardd is addressed. The latter is not necessarily necessary for the spoof, but is used so that users release the power button earlier. If they hold it in too long, the phone will still reboot, and the spoofing will no longer work. That is why the researchers manipulate Backboard so that the spinning wheel indicates more quickly that the rebooting process has started. At the same time, Springboard can be reloaded to make it look like all processes have restarted.
The researchers have made a video showing how the process works. During that process, the camera of a device continues to work. Users can of course continue to reboot their phone in other ways, so it is not a foolproof method.