How iOS Malware Can Silently Spy on Users?

Haseeb Awan
calender icon
July 7, 2022
Modified On
April 5, 2023

In This Article


SIM Swap Protection

Protect Your SIM Now

Protect Your Calls and Data. Get Efani Now!

Protect Your SIM Now
Modified On
April 5, 2023

In this article, we will discuss the mindset of mobile hackers, how mobile threat actors think, what tricks they use to overcome security measures and signs that our smartphones and tablets are hacked. 

Let's start by proving that the newly introduced orange/green microphone and camera indicators do not actually constitute a security hurdle to mobile malicious hackers.

An orange and green dot are two new indicators available in iOS 14. These indications let you know when the camera or microphone is being used. If there is no orange or green dot, you shouldn't be concerned that your phone is spying on you.

Spyware like NSO/Pegasus can listen in on the mic, as we know. Can NSO Group and other threat actors attacking mobile phones record you when the indicator is off? Kaspersky researched the same and found out the occurrence of malware spying on iOS users anonymously.

What is iOS Malware?

The primary new finding in the ongoing RCS investigation is how iPhones are infected. First, malware for iOS is installed on the victim's device. The attack vectors might vary from case to case and include social engineering, spear-phishing, exploits, and other malicious techniques. When the victim plugs in the smartphone to connect it with iTunes, the malware quietly lurks in the device's background, performing standard surveillance tasks like keylogging. A Trojan attempts to surreptitiously jailbreak a linked iPhone if a spyware operator allows a phone attack, and then the mobile spying module is installed. The iPhone restarts at this point, which is the only obvious indication that something is wrong. A virus is quite intelligent and employs several logical triggers to covertly snoop.

The RCS smartphone Trojans are strong enough to carry out every type of surveillance you might anticipate from malware of this type, like location tracking, photo-taking, WhatsApp, SMS, and other messenger snooping, contact-stealing, and so forth.

Some restrictions might or might not allow hackers to exploit a particular iPhone. It must first run an iOS version that can be "jailbroken." For instance, the latest ones have no recorded jailbreak, but older versions are weak. Secondly, an iPhone has its passcode removed before being jailbroken. Though both scenarios are common, spyware developers have an extensive collection of iOS-running awards.

How do Hackers Inject Malware on iOS?

Zecops checked the iOS and its functioning to find out how hackers can exploit microphones and cameras without turning on your iPhone's orange and green indicators. Here is what they found:

Compromising Microphone is Comparatively Easy

The first thing you need to consider is, does the indicator actually turn on every time the microphone or camera is used? 

You can do this experiment too to find the answer. When you say "Hey Siri", your iPhone activates the microphone, and Siri is ready to help you. But it doesn't turn on the indicator. Does it? Even though your phone was still listening to you, right? It means your phone constantly monitors your voice but only activates Siri when you say the keyword "Hey Siri".

Another instance, Voice control, enables you to interact with the phone through voice commands by accessing the microphone. It allows you to search for anything online or on the phone. For these functions to work, the microphone must be accessed. However, these characteristics do not cause the visual indicators to become orange or green. As a result, it will not be wrong to assume that mobile malware can also exploit it and spy on you without you knowing.

It indicates that hackers can allow silent accessibility to the microphone by injecting malware code into your phone's software. 

How? By bypassing TCC Prompt.

Transparency, Consent, and Control is referred to as TCC. Consumers of iOS frequently encounter this prompt. The heart of TCC is a system daemon called tccd, which controls access to private data and authorization to gather personal data from input sources like the microphone and camera.

Also, the TCC prompt only works with UI-based applications. Anything operating in the background needs special permission to function. For microphone access, just kTCCServiceMicrophone is required. However, another patch is necessary for the camera, making it harder to compromise.

Exploiting Camera Isn't That Hard Either.

Access to cameras is somewhat more challenging. Additional system daemon known as mediaserverd is required to ensure that no application with background running status can use the camera.

mediaserverd keeps track of media capture events. Apps wishing to use the camera require tccd and mediaserverd approval. After tccd, it adds another level of security. When it determines an app is no longer active in the foreground, it stops allowing access to the camera.

Notably, mediaserverd has a unique authorization (get-task-allow) to stop code injection.

The dynamic debugger depends on acquiring task ports such as cycript because of the "get-task-allow" privilege. Hence Frida is incompatible with the mediaserverd daemon. Once mediaserverd is not responding, even for a brief period, the system routinely kills it. These unusual indications suggest that mediaserverd is in control of a crucial task.

Mediaserverd receives a notice when a process enters the background and revokes camera access for that specific process. To compromise the camera, hackers must figure out a way to get mediaserverd to do nothing if it notices the active background process.

It is discovered that there is no need to change any code because it is feasible to stop mediaserverd from revoking camera access by latching into an Objective-C method.

Using lldb to inject into mediaserverd can compromise the camera. Lldb calls the kernel for code injection rather than relying on task-port. The authorization of mediaserverd to execute such injection can be replaced by malicious attackers who can already execute kernel code.

How to Protect Yourself?

The best way to protect your iOS device is by avoiding jailbreaking your iPhone and regularly updating iOS on your device to the most recent version to reduce infection threats. Additionally, using strong antivirus and anti-malware software on your device significantly lowers the chance of contracting an infection.

Want Guaranteed Protection Against SIM Swap? Reach Out to Us.

SIM Swap Protection

Get our SAFE plan for guaranteed SIM swap protection.

Protect Your Phone Now

SIM Swap Protection

Get our SAFE plan for guaranteed SIM swap protection.

Protect Your Phone Now

Haseeb Awan
CEO, Efani Secure Mobile

I founded Efani after being Sim Swapped 4 times. I am an experienced CEO with a demonstrated history of working in the crypto and cybersecurity industry. I provide Secure Mobile Service for influential people to protect them against SIM Swaps, eavesdropping, location tracking, and other mobile security threats. I've been covered in New York Times, The Wall Street Journal, Mashable, Hulu, Nasdaq, Netflix, Techcrunch, Coindesk, etc. Contact me at 855-55-EFANI or for a confidential assessment to see if we're the right fit!

Related Articles

SIM SWAP Protection

Get our SAFE plan for guaranteed SIM swap protection.