New Coruna Spyware Targets iPhone Users

Security researchers at Google have revealed new details about a highly sophisticated attack tool called Coruna. This “exploit kit” is designed specifically to break into iPhones and install dangerous spyware.

The report comes from Google’s Threat Analysis Group (TAG) and Mandiant, who have been tracking the use of commercial spyware for years. According to their findings, Coruna is linked to a commercial spyware vendor known as Intellexa. This company sells its hacking tools to government agencies around the world.

An exploit kit is essentially a package of digital keys used to unlock a device without the owner knowing. In the case of Coruna, it uses a series of vulnerabilities, often called zero-days, to get past the iPhone’s defences. These are flaws in the software that the manufacturer, in this case Apple, did not know about until the attacks were already happening.

According to the Google Cloud blog: “The Coruna exploit chain was used to deliver the Predator spyware to targeted iOS devices.” This is particularly concerning because the Predator spyware can record phone calls, steal passwords, and track a user’s location in real time.

The way an attack usually starts is through a malicious link. A target might receive a text message or an email that looks legitimate. Once the person clicks the link, the Coruna kit begins a silent process in the background. It checks the version of iOS the phone is running and then chooses the right set of exploits to break in.

One of the most worrying parts of this report is that Coruna was able to bypass Lockdown Mode. Apple introduced Lockdown Mode as an extreme layer of protection for people who might be personally targeted by sophisticated digital attacks. However, the researchers found that the attackers found a way to work around these extra protections by exploiting specific flaws in how the iPhone processes certain types of web content.

The vulnerabilities used in these attacks were identified as CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993. These flaws affected the way the iPhone handled certificates and web components. Apple has since released updates to patch these specific holes.