Attackers Use Fake Airplane Mode After Hacking iPhones on iOS 16

Cybercriminals have started using an interesting new tactic in attacks targeting iPhones. To mislead victims, attackers activate a fake airplane mode on devices running iOS 16. As a result, users believe their device is disconnected from the internet, while in reality, a malicious app controlled by the attackers can continue to operate online without interruption.

This method is primarily used to maintain persistence on the device after the attacker has exploited a vulnerability to gain access. According to experts at Jamf Threat Labs, “The malware modifies the user interface so that the smartphone owner sees airplane mode as enabled. In reality, the program blocks network access for all apps except itself.”

“When a user enables airplane mode, the network interface pdp_ip0 (cellular data) no longer displays IPv4/IPv6 addresses. Connecting to the network via the cellular operator becomes impossible at the user level,” the researchers explain.

How the Attack Works

This tactic allows attackers to download additional payloads onto the iPhone. The CommCenter daemon is used to block certain apps from accessing cellular data and to disguise the device as being in airplane mode. The intercepted function enables the attacker to alter the system window that is displayed to the user.

Analysis of CommCenter also revealed an SQL database that records the cellular data access status for each app (using the so-called package identifier). If an app is denied such access, the value “8” is assigned. However, other processes not associated with regular apps—such as backdoors or trojans—are not blocked from accessing the internet.