Security researchers with Jamf Threat Labs shared details of a new post-exploitation tampering technique that allows to carry out covert attacks while fooling iPhone users into believing that their device is running in Lockdown Mode when it's not.

First introduced in July 2022, Lockdown Mode is a security feature designed to protect iPhones, iPads and Macs from state-sponsored hacking. Lockdown Mode reduces the attack surface by disabling the most commonly exploited vulnerabilities for spyware by automatically blocking certain types of calls from unknown users, blocking previews for website links and preventing multimedia downloads. The function also blocks the device from automatically pairing, syncing, or interacting with external devices even if it is physically connected.

However, the Lockdown Mode doesn't function as antivirus software, it doesn't detect existing infections, and it doesn't affect the ability to spy on an already compromised device, the researchers warned.

The tampering technique only works on devices that have already been infected with malware, Jamf said. The new method doesn’t exploit any vulnerabilities in Lockdown Mode itself. Instead, it enables malware to deceive users by creating a false impression that their phone is operating in Lockdown Mode.

The attack involves manipulating the code on a compromised device to establish a deceptive “Fake Lockdown Mode.” When the user activates the Apple security service, the phone seemingly enters Lockdown Mode and replicates its security restrictions. However, no actual alterations are made to the device's configuration.

Typically, when a user activates Lockdown Mode, the device undergoes a restart to implement the changes. Jamf identified a method to bypass this restart requirement. By having iOS trigger the initiation of a file named “/fakelockdownmode_on,” the researchers could replace the necessary system reboot with the userspace reboot instead, enabling the injected code to maintain adaptable control over Lockdown Mode.

“This also means that even malware lacking persistence can persistently run and monitor the user,” the researchers noted.

Jamf added that this technique is only a proof of concept and has not yet been observed in the wild.