Researchers from cyber security firm Zecops have discovered a way to alter an iPhone’s shutdown sequence to trick an infected user into believing the phone has been turned off, but actually is still running and can secretly record photos and videos.
As reported by BleepingComputer, typically iOS malware can be removed by restarting the device, which clears the malware from the smartphone’s memory. But this new technique attaches itself to the shutdown sequence and reboot routines of the device to prevent a true shutdown from ever happening. To the user, it appears as though the phone is off but it is actually still running.
Zecops researchers aptly call the attack a “NoReboot.” During normal operation, simultaneously holding down the power button and either volume button until a slider appears allows a user to turn off the phone. It takes about thirty seconds for the shutdown sequence to complete. When off, the phone’s screen, camera, and other functions appear to be completely disabled.
The researchers were able to disable all of the indicators of a phone being on but keep its malware trojan still running.
“Despite that we disabled all physical feedback, the phone still remains fully functional and is capable of maintaining an active internet connection,” the researchers say. “The malicious actor could remotely manipulate the phone in a blatant way without worrying about being caught because the user is tricked into thinking that the phone is off, either being turned off by the victim or by malicious actors using ‘low battery’ as an excuse.”
When a user decides to turn a their phone back on, the trojan can play the system boot animation with Apple’s logo to convince the user everything is operating correctly and keep its presence hidden. Zecops fully explains its methods in a detailed blog post.
Apple introduced a feature in iOS 15 that makes it so that even iPhones that are shut off can still be located using the Find My feature. The company didn’t explain how this works, but the Zecops researchers discovered it is because Apple keeps the Bluetooth LPM chip active and running even when the phone is off.
In iOS 15, the phone is findable even when “Powered off”. pic.twitter.com/gfi4WJfula
— Costin Raiu (@craiu) September 27, 2021
Because of this intended feature and the fact that they were able to fake a shutdown, the researchers say that it is best to assume that a device can ever be fully turned off unless you have removed its battery of “even better, put it into a blender.”
Image credits: Header photo licensed via Depositphotos.