Google researchers have uncovered concentrated malware campaign that has been targeting iPhones for at least two years. There’s a chance that this may be over now, although they warn it’s possible there are others that are yet to be seen.
Titled Project Zero, Google’s researchers were told to find zero-day vulnerabilities in the software, in which they had discovered a small collection of malicious websites that could be used to hack the devices, using previously undisclosed five different “exploit chains” — where a series of flaws are linked together to mount an attack.
14 different vulnerabilities were found that affected iOS 10 to iOS 12. After the team privately disclosed the flaws, Apple then issued a patch as part of its iOS 12.1.4 update back in February. Google gave the Cupertino-giant maker just a week to fix them.
Project Zero researcher Ian Beer said, “There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week. If the phone is rebooted then the implant will not run until the device is re-exploited when the user visits a compromised site again.”
Another discomforting thing is that the malware implant also uploaded the devices’ keychain that securely stores data such as Wi-Fi passwords, login credentials, and certificates — and the data containers associated with a hard-coded list of third-party apps like WhatsApp, Telegram, Skype, Facebook, Viber, Gmail, and Outlook.
“All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them,” Beer said.
Apple was known to be pro-privacy but these events make matters worse.