This is what happens when you release a feature letting users track their iPhone even when it has been turned off …

On 5 Jan this year, researchers from a cybersecurity firm announced a proof-of-concept (PoC) that a trojan for the Apple iPhone can perform a fake shutdown or reboot to prevent malware from being removed from memory, leading to longer malware persistence and consequently, higher exposure to other cyber risks.

IPhone users are used to the often-cited instruction to restart their phone if they suspect a malware is active in memory. According to Oded Vanunu, Head of Products Vulnerability Research, Check Point Software Technologies, “this is helpful when the malicious code is running from memory and not from the device’s storage (due to an attempt to avoid detection)”.

However, the proof of concept shows that a sufficiently crafty malware can hook the iOS shutdown and reboot routines to simulate the restart, thereby keeping the malware active.

An un-patchable exploit

Apparently, the method of attack does not exploit any flaws in the iOS but relies on “human-level deception” through simulating the cues of an actual shutdown and restart. Vanunu said that the malware “can even use social engineering to show Apple’s famous reboot screen with the company logo.”

This effectively implies that such a threat cannot be patched by Apple if a trojan of this nature—named “NoReboot” by its inventors ZecOps—ever came to light due in any way.

Also, the proof of concept shows that if a phone can be made to appear shut down when it is not, then hackers can snoop on users via the phone’s microphone and transmit sensitive data via the phone’s network connection which is still ‘live’.

To make matters worse—or maybe the NoReboot proof of concept was indirectly inspired by this—since iOS 15, Apple has introduced a feature allowing users to track their phone even when it has been turned off. Therefore, the moral of the trojan proof-of-concept for iPhone users is “Never trust an i-device to be off, until you have removed its battery or even better put it into a blender”!