Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Faking an iPhone shutdown could allow malware to survive a reboot

Apple iPhone 13 models

Last updated

Security researchers have developed a new technique for faking a shutdown on iPhone, potentially granting malware persistence even after an iOS reboot.

Generally, a reboot will wipe any malicious code off an iPhone. But the security technique, dubbed "NoReboot" by researchers at ZecOps, could allow iPhone malware to gain persistence, or survive after reboots.

The technique works by faking an iPhone shutdown in an attempt to trick a user into believing their device has been shut off. If an attacker pulls off the trick, any malware can continue operating on the device — and the bad actor could also potentially spy on a user with an iPhone's camera and microphone without their knowledge.

"NoReboot" works by injecting malicious code into three background processes — InCallService, SpringBoard and backboardd — that are responsible for the reboot process on iPhone.

Once an attacker hijacks the reboot process, an iPhone will appear like it's off to the user but will be fully awake and connected to the internet. That could allow the attacker to do pretty much anything they want without alerting the user.

The process also works in reverse. "NoReboot" can show a fake wake or startup process to trick the user into believing that their iPhone has actually undergone a reboot.

There's no patch for the "NoReboot" technique because it doesn't actually exploit any bugs. To fix it, ZecOps researchers said that Apple would need to build in a hardware-based indicator to display an iPhone's on or off status.

While "NoReboot" isn't malware, the technique could be built into malicious applications as a way of evading detection and gaining persistence on an iOS device.

Who's at risk — and how to protect yourself

As mentioned earlier, "NoReboot" can't be patched. Additionally, ZecOps says that the technique can be carried out on any iPhone model running any version of iOS.

iPhone users can protect themselves by only downloading reputable apps from the App Store. There are also tools, including one made by ZecOps, that can check if an iPhone has been compromised.



7 Comments

WilliamM 6 Years · 23 comments

What happens if the iPhone shuts down because the battery runs out of power? In this case, is the NoReboot code still present in the compromised background processes and is the malicious code which installed it (or any other malicious code) still present?

phillyfanatic09 9 Years · 38 comments

Watch the video and you will see the obvious giveaway that a true shutdown did not occur - FaceID was not disabled and the mandatory passcode entry was not required at first unlock. Also recall that the iPhone uses unique text when prompting for the passcode after a shutdown or restart compared to repeated FaceID or TouchID failures.

moiety 3 Years · 6 comments

This wouldn't survive a hardware reboot, which for the past half decade has been pressing volume up, then volume down, then holding the side button.

https://support.apple.com/en-is/guide/iphone/iph8903c3ee6/ios

lkrupp 19 Years · 10521 comments

Gotta keep in mind that for security researchers everything is an apocalypse. Apparently you have to install an app with the malicious code and how do you do that unless you jailbreak your iPhone. Another nothing-burger here. Let’s move along, please.

mark fearing 16 Years · 441 comments

This just in- if you lose the key to your front door, someone can find that key and use it to open your door! A bug that can’t be patched. 

Also, the windows in you house are often made of glass, highly breakable. Allowing entrance to the glass breaker. We’re hoping for a fix.