Researchers Devise Malware That Runs When an iPhone is Powered Off

Researchers Devise Malware That Runs When an iPhone is Powered Off

Engineers and security experts at Germany’s Technical University of Darmstadt created wireless malware and loaded it onto a Bluetooth chip to test its effect on an iPhone that had been powered off. Executing the Bluetooth chip inflicted the iPhone with the malware, proving the popular smartphone isn’t safe from attack just because it isn’t on.

This is possible thanks to what Apple calls “low-power mode,” or LPM, which keeps most of the phone’s wireless chips running even after the device has been powered off. In some cases, this is a godsend: it’s LPM that allows users to frantically locate their lost iPhone via the Find My network, even after the phone has died or been turned off. Users are also able to access their Express cards in LPM, allowing them to pass through transit terminals or pay for goods and services regardless of their phone’s battery level.

Researchers Devise Malware That Runs When an iPhone is Powered Off

But LPM also provides a prime opportunity for bad actors who are motivated to exploit an otherwise good thing. The Bluetooth and ultra-wideband (UWB) chips in an iPhone are hard-wired to a near field communication (NFC) chip’s secure element, and the device’s power management unit keeps these elements powered on. This means the parts of LPM that are useful to users—AKA location-tracking, credit cards, and personal transit passes—remain open to attack at all times.

In a paper published last week, the researchers point out that this vulnerability has previously been a concern for journalists attempting to defend themselves against potential espionage. “Since LPM support is implemented in hardware, it cannot be removed by changing software components,” they write. “As a result, on modern iPhones, wireless chips can no longer be trusted to be turned off after shutdown.” This could provide an opening for attackers to disable an iPhone’s Find My network and steal the device, or use Express Mode to steal the user’s financial or physical assets.

It’s worth pointing out that the researchers used a jailbroken iPhone to conduct the experiment. This means that the average out-of-the-box iPhone user is unlikely to experience an attack like the one simulated here—but that doesn’t mean Apple’s constantly-running LPM features are impervious to manipulation. If Apple’s LPM-associated elements aren’t protected by firmware, they’re vulnerable, whether the iPhone they’re inside of is jailbroken or not.

The researchers say they alerted Apple to these vulnerabilities. Apple reportedly read the researchers’ paper but “had no feedback on the paper’s contents.”

Continue reading

Malware Masquerading as Android 2FA App Infected 10,000 Phones Before Removal
Malware Masquerading as Android 2FA App Infected 10,000 Phones Before Removal

Known simply as 2FA Authenticator, the app picked up more than 10,000 installs until security researchers identified it as a vehicle for trojan-dropper malware.

Clever Malware Masquerades as Windows 11 Installer
Clever Malware Masquerades as Windows 11 Installer

A Russian website disguised as an official Microsoft page is distributing an "upgrade installer" that won't get you Windows 11. What it will get you is a bunch of malware.

Google Warns of Sophisticated Malware Distributed With The Help of ISPs
Google Warns of Sophisticated Malware Distributed With The Help of ISPs

According to Google's Threat Analysis Group (TAG), this spyware was developed by an Italian company called RCS Labs. The firm claims to be on the right side of the law, but that doesn't change the fact its software is being used to breach user privacy.

SharkBot Malware Reappears in the Google Play Store
SharkBot Malware Reappears in the Google Play Store

Earlier his year, security researchers spotted a malicious software package called SharkBot spreading through the Play Store. It was stamped out, of course, but now it's back with a vengeance.