Google researchers have uncovered a malicious attack against iPhone users, which could be one of the largest ever. They uncovered a series of hacked websites that have reportedly been delivering attacks designed to hack iPhone users. Google says that these websites have delivered their malware indiscriminately. The most interesting fact being that scale were these websites were visited thousands of times every week. The search giant has also observed that these attacks were operational for years.
Some of these attacks used zero day exploits and took advantage of vulnerability that Apple was not aware of at the time. In the past, zero day exploits have been found to be the most effective way to hack into devices. Since the impacted company is unaware of the issue, it becomes easier for malicious actors to spread malware without any oversight. Researchers at Google have been at the forefront of finding zero day exploits affecting popular operating systems and software.
“There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” Ian Beer, member of Project Zero, said in a blog post. “We estimate that these sites receive thousands of visitors per week.”
Beer notes that Google’s Threat Analysis Group (TAG) was able to collect five separate, complete and unique iPhone exploit chains. These exploits are based on 14 vulnerabilities and cover almost every version from iOS 10 to the latest iOS 12. Project Zero team notes that these exploits hint at a sustained effort to hack iPhone users over a period of at least two years. Among these exploits, at least one of the chains has been identified as a zero day exploit.
Photo: Google Project Zero
Apple fixed the issue with iOS 12.1.4 in February after Google alerted the company with a 7-day deadline. Once exploited, the attacker is capable of deploying malware onto a user’s iPhone. “The implant is primarily focused on stealing files and uploading live location data. The implant requests commands from a command and control server every 60 seconds,” Beer explains.
The nature of this attack is unprecedented since the implant also gains access to a user’s keychain. On iOS, the keychain contains passwords as well as databases of end-to-end encrypted applications such as iMessage, WhatsApp and Telegram. With a compromised device, the purpose of end-to-end encryption almost becomes meaningless. Beer also notes that the malware will be wiped if a user reboots their device.
This is not the first time that attackers have targeted iPhone users. In the past, the attacks have been targeted in nature and exploits have been deployed primarily through text message. However, the exploit discovered by Google seems broader and aimed at a specific set of users. Apple has not offered any comment on the issue yet.