Google researchers announced Thursday that they discovered security vulnerabilities that enabled multiple hacked websites to “exploit iPhones en masse.”
Ian Beer of Google’s Project Zero wrote in a blog post that the company’s Threat Analysis Group (TAG) identified “a small collection of hacked websites” that were being used as “watering hole” sites to attack visitors using iPhones.
“There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” Beer wrote. “We estimate that these sites receive thousands of visitors per week.”
Once installed on a device running iOS 10 and above, the device becomes a clandestine spying device which reports location, contacts, messages and the like every 60 seconds. Such telemetry can give criminals a surprisingly broad picture of what a person is like, which they can then turn to their advantage.
The data collection wasn’t limited to Apple apps either — in testing, the malware was able to extract data from most leading apps from third parties, including WhatsApp, Google Maps, and Gmail.
“This is terrifying,” Thomas Reed, a malware researcher at the security software company Malwarebytes told Wired. “We’re used to iPhone infections being targeted attacks carried out by nation-state adversaries. The idea that someone was infecting all iPhones that visited certain sites is chilling.”
Google informed Apple of the vulnerabilities on February 1 this year, giving it a seven-day deadline to fix them. The Cupertino firm issued a patch six days later for iOS 12.1.4 for iPhone 5s and iPad Air and later. The patch notes mention fixing an issue where “an application may be able to gain elevated privileges” and “an application may be able to execute arbitrary code with kernel privileges.”
Chances are that your iPhone is now probably safe from these unnamed websites, but it’s good to make sure that you’ve updated your phone to the latest version, iOS 12.4.1. This is the best way to make sure that your device is safe from the latest online threats, amongst other benefits like new features.
