Jamf Blog
Spying on users from the bushes with binoculars
January 11, 2022 by Jesus Vigo

iOS malware PoC that runs with persistence and isn’t a zero-day

ZecOps identified a vulnerability in the way iOS processes feedback input, allowing for malware to run in memory but also with persistence, making it nearly undetectable to users — and worse, it even tricks users into thinking the device is powered off while still being able to spy on users.

Before we jump to the thought that our worst fears of real iOS malware have come true, let’s start by saying that while the attack has been identified and tested against iOS, the team responsible for identifying it — ZecOps — is a security company that focuses on developing software to enable security investigations and data gathering for Apple and mobile platforms. So rest assured, thus far this attack is not being exploited in the wild and exists solely as a proof of concept (PoC).

Now that we’ve heard the good news, the not-so-good news is that this is still a PoC, meaning that it is an example of what an attack like this is capable of. Not a “what if…” but a real-world example of not only malware that runs on iOS. However, unlike prior malware that runs solely within the memory space and get cleared out whenever the device isrebooted, what makes this one so special is that the authors have devised a clever way to establish (and maintain) persistence. This is a feature that hasn’t been seen on iOS until now.

In this blog, we’ll cover:

  • What this malware PoC can do
  • What users should know to stay safe
  • Tips for good mobile security hygiene

It can do what?!

As previously mentioned, the malware PoC is interesting in that it can not only affect devices by running in resident memory, but where as typical malware would get eradicated when the affected device is rebooted, this PoC stays chugging along without even a hint that something is wrong.

According to the research team at ZecOps, the cause isn’t so much a vulnerability as it is a byproduct of the way in which iOS handles the Home screen; user inputs, such as taps, swipes and button presses; and the daemon that handles system restarts. ZecOps provides a full breakdown of the technical details behind how the malware works.

In a nutshell, the standard shutdown process when using the hardware buttons works by sending a signal to the InCallService daemon which is responsible for sending the shutdown message — users see this as the “slide to power off” message in the UI. This message is sent to SpringBoard (UI) and, when the user swipes on the screen and SpringBoard exits, the message is then sent to Backboardd where it triggers the spinning wheel to indicate the device shutting down.

However, once the malware payload is delivered to the victim’s iOS-based device and running within memory, the Home screen’s appearance remains unchanged to the end user. Behind the veil, the malicious code will intercept prompts by thenext time the user tries to reboot or shut down the device by hooking into the aforementioned daemons to execute the commands with arguments, effectively modifying how they run and (more importantly) how the user views them on the device. In this case, the malicious code will intercept the hardware button inputs and respond with a fake shutdown screen, except it’s delivered a bit earlier than if the device had shown the legitimate shutdown screen. When the user slides to shut down, the message is intercepted once again and the malicious code executes the Backboardd commands — also with modifications — so that it appears as though the device is powering off normally. In fact, the code has modified the display of the Apple logo after exiting SpringBoard, effectively leaving the device in a state where the UI is not visible (i.e., a blank screen), but iOS is still very much powered on.

More importantly, during this state of seemingly being “off,” the malicious code is still running on the device unbeknownst to the user and it has access to the hardware and sensors built-in, such as the video camera and microphone, to spy on the victim as the video below demonstrates this in real-time. Effectively, the researchers have found a way to make it look like the device is shut down while it is very much active. As a result, the malware continues to run even though the user “rebooted” the device.

Hope is not (completely) lost

ZecOps has an interesting quote relating to what they refer to as “the ultimate persistence bug,” being “a bug that cannot be patched because it’s not exploiting any persistence bugs at all — only playing tricks with the human mind.”

In this case, there doesn’t appear to be any zero-day vulnerabilities being exploited, so technically there’s nothing to patch to prevent something like this from occurring. What this means, though, is that the power rests in the hands of users to potentially resolve this type of infection themselves by simply changing how they reboot their device.

Instead of holding the Power and Volume Down buttons to trigger the shutdown screen, users can alternately tap on Settings > General > Shutdown to manually shut down their iOS-based device. Additionally, the hard reboot method below was mentioned by ZecOps as working to shut down the device without triggering the NoReboot malware:

  1. Press Volume Up
  2. Press Volume Down
  3. Press and hold Power button until “slide to power off” appears
  4. Swipe across screen to hard-reboot device

Practicing safe mobile

You’ve got a passcode on your device and it’s practically glued to your hand, so you’re safe, right? After all, the demo victim device in the video didn’t have a passcode. No, it didn’t, but ZecOps assured us that it was done only out of ease of demonstration. But if a passcode is enabled, the malicious code will launch with a passcode prompt to further appear as if nothing is wrong.

So, what can end users do to protect themselves, their mobile devices and their data? Good question! The following takeaways are good hygiene precautions users can and should take to maximize protection of their devices and privacy data.

  • Enable a strong passcode

  • Reboot your device regularly

  • Keep your device physically secured — don’t leave it laying around

  • Do not connect your devices to unknown/untrusted computers, outlets or any such connection you don’t have control over… you never know what may be lurking on the other side

  • Also, don’t use untrusted/unknown cables or accessories either, since you don’t know whether they’ve been tampered with

  • Keep iOS security maximized by not jailbreaking your device, and especially don’t download “cracked” software…this is often malware in disguise

  • Never download any software you don’t know or simply don’t need

  • Do keep iOS patched to the latest version as well as your apps updated

  • It’s never a good idea to use “free” or “public” Wi-Fi as the connections are not secure, but if you must, use a VPN or ZTNA app you trust to keep communications secured

  • Never, ever, ever click on links in your email, text messages or anywhere on social media — no good can come of clicking on unknown or unsolicited links

Security concerns giving your organization a hard time? Jamf helps your IT department work smarter — not harder

by leveraging the power of Jamf Pro to make short work of managing your device fleet and see the difference for yourself!

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.