About a week ago, security researchers from Google’s Project Zero team provided us with details of an extremely sophisticated malware attack targeting China’s Uyghur Muslim community. Through a chain of zero-day exploits, iPhone owners who visited infected websites often frequented by the Uyghur community had malware installed onto their devices. From there, the malware was able to collect user photos, private messages, and even GPS location data in real-time.
In response to the original Project Zero report, Apple today issued an official response which seemingly categorizes Project Zero’s report as alarmist. Put simply, Apple doesn’t’ deny that the malware existed, but takes issue with the extent of the issue. For instance, the original Project Zero report claims that the infected websites in question were operational for two years. Apple denies this and claims that they were only operational for two months.
Apple’s statement reads in part:
First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones “en masse” as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.
Google’s post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real time,” stoking fear among all iPhone users that their devices had been compromised. This was never the case.
Apple also makes a point of noting that it patched the iOS vulnerabilities in question just 10 days after Google researchers reached out to them. Additionally, Apple claims that it was working on fixing the security loopholes before Google even contacted them. At this point, it remains unclear if another third-party alerted Apple to the vulnerabilities or if they were unearthed by Apple engineers.
It’s also worth noting that the malware attack in question didn’t solely target iPhone users. On the contrary, the malware was quite expansive and targeted Android devices along with Windows PCs.
Interestingly, it didn’t take long for Google to respond to Apple’s response. In a statement provided to The Verge, the search giant said the following:
Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies. We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other leading companies to help keep people safe online.