It has been suspected that nation-state hackers have used malware-laced websites to infect iPhones with spyware. Security researchers have stated that this could be the worst general security failure yet that are affecting Apple devices.
Last Thursday, Google researchers have publicly announced the vulnerability. The issue has been silently fixed by Apple since last February. However, it has been more than two years before they did anything about it and it has been believed that it has exposed thousands of iPhone users all over the world.
Google researchers did not divulge who was behind the cyber-espionage or what target population it was intended for. But experts have said that the malware operation has all the makings of a nation-state attack effort.
Among the sensitive data that has been gathered by the spyware
come from the following apps such as WhatsApp, iMessage and Telegram text messages, Gmail, photos, contacts and even real-time location. In a nutshell, all the databases on the iPhone was compromised. Although messaging apps have encryption during transit, it remains readable on the phone itself.
After years of hacking incidents being reported all over the world, this seems to be the most serious iPhone hacking incident which has not been brought here into the public’s attention. They are indiscriminately targeting everywhere and who knows how much information has been compromised by the iPhone implant. This was stated by former US government hacker Jake Williams who is now the president of Rendition Security.
Ian Beer was the Google researcher who posted the blog post last Thursday about the discovery that should dispel the notion that it costs a million dollars to successfully hack an iPhone. Way back in 2016, there was an incident wherein UAE dissidents had their iPhones infected with what has been said confirmed as a zero-day exploit. It has been said that it fetched such high prices.
For people who who do not know what a Zero day exploit is, it is basically are exploits which is unknown to the developers of the affected software which does not give them time to develop patches to fix it.
The Project Zero by Google researchers hunts down security vulnerabilities in almost everything such as software, microprocessors and other avenues that cyber criminals and state-sponsored hackers and intelligence that agencies use.
Mobile security expert Will Strafach of Sudo Security said that “This should serve as a wake-up call to folks.” “Anyone on any platform could potentially get infected with malware.”
Beer said his team estimated that the infected websites used in the “indiscriminate watering hole attacks” receive thousands of visitors per week. He said the team collected five separate chains of exploits covering Apple’s iOS system as far back as version 10, released in 2016.
There has been no announcement from Apple yet with regards to this vulnerability. There are no guarantees that it will not happen again. It has been Apple’s Privacy assurance ever since.
Neither Google nor Beer responded immediately to questions about the attackers or the targets, though Beer provided a hint in his blog post: “To be targeted might mean simply being born in a certain geographic region or being part of a certain ethnic group.”
The spyware implant wasn’t written to transmit stolen data securely, suggesting an authoritarian state was behind it. Williams, of Rendition Security speculated that it was likely used to target political dissidents.