Earlier this month, security researchers for Google’s Project Zero revealed a wild iOS exploit that would allow a malicious actor to completely take over a targeted device with absolutely no interaction from the device owner themselves. Apple ultimately patched the exploit, though there’s no indication that the exploit was actually used in the wild.
The same, however, can’t be said about a new piece of malware recently disclosed by security researchers working for Google’s Project Zero. In a jaw-dropping report, Ian Beer of Project Zero reveals how a collection of hacked websites distributed malware to any iOS device that visited the site in question. The malware relied upon quite a few 0-day vulnerabilities in iOS and reportedly impacted devices running iOS 10 through iOS 12.
The sites serving up the malware weren’t mentioned but are said to receive upwards of thousands of visitors a week. And speaking to the sophistication of the attack, the malware reportedly relied upon a chain of 14 security exploits.
“TAG was able to collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12,” Beer notes. “This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.”
Once an impacted website was visited, malware implanted onto the device began collecting all sorts of sensitive user data behind the scenes. According to the report, the iOS malware in question was able to steal a treasure trove of information, including but not limited to text messages, photos, and even GPS location data in real-time.
The websites in question were seemingly operational for two years before Google stumbled across it. Apple patched the exploits with a security update this past February.
Again, Google’s researchers don’t directly name who was targeted, though they do imply it focused on people who belong to a “certain ethnic group.” Suffice it to say, many security researchers are confident that a state-actor is behind the malware.
A full technical breakdown of the malware in question can be viewed over here.