Faking an iPhone shutdown could allow malware to survive a reboot

Apple iPhone 13 models

Generally, a reboot will wipe any malicious code off an iPhone. But the security technique, dubbed "NoReboot" by researchers at ZecOps, could allow iPhone malware to gain persistence, or survive after reboots.

The technique works by faking an iPhone shutdown in an attempt to trick a user into believing their device has been shut off. If an attacker pulls off the trick, any malware can continue operating on the device — and the bad actor could also potentially spy on a user with an iPhone's camera and microphone without their knowledge.

"NoReboot" works by injecting malicious code into three background processes — InCallService, SpringBoard and backboardd — that are responsible for the reboot process on iPhone.

Once an attacker hijacks the reboot process, an iPhone will appear like it's off to the user but will be fully awake and connected to the internet. That could allow the attacker to do pretty much anything they want without alerting the user.

The process also works in reverse. "NoReboot" can show a fake wake or startup process to trick the user into believing that their iPhone has actually undergone a reboot.

There's no patch for the "NoReboot" technique because it doesn't actually exploit any bugs. To fix it, ZecOps researchers said that Apple would need to build in a hardware-based indicator to display an iPhone's on or off status.

While "NoReboot" isn't malware, the technique could be built into malicious applications as a way of evading detection and gaining persistence on an iOS device.

Who's at risk — and how to protect yourself

As mentioned earlier, "NoReboot" can't be patched. Additionally, ZecOps says that the technique can be carried out on any iPhone model running any version of iOS.

iPhone users can protect themselves by only downloading reputable apps from the App Store. There are also tools, including one made by ZecOps, that can check if an iPhone has been compromised.