Hackers have been remotely attacking iPhones with malicious email messages for at least two years, San Francisco-based security firm ZecOps reports.
According to a Motherboard report, ZecOps said it found evidence that hackers have been using an iOS bug since at least January 2018. Researchers say the new iOS exploit appears to have been leveraged as part of malformed emails sent to high-profile iOS users.
Unlike most email-based phone hacks, which involve making someone click a link or visit a website, this exploit does not require victims to do anything other than download (although not necessarily open) an email. It nonetheless could let hackers install malicious software on their devices.
“We concluded with high confidence that it was exploited in the wild,” Zuk Avraham, the founder of ZecOps, told Motherboard. “One of [the vulnerabilities] we clearly showed that it can be triggered remotely, the other one requires an additional vulnerability to trigger it remotely.”
The security researchers say the attack is a zero-click exploit that doesn’t require users to interact with the email, with the exploit triggering once the user receives the email or the user opens the Apple Mail app. The exploit doesn’t trigger in Gmail or other email clients, researchers said.
“The vulnerability allows to run remote code in the context of MobileMail (iOS 12) or maild (iOS 13),” the ZecOps team said. “Successful exploitation of this vulnerability would allow the attacker to leak, modify, and delete emails.”
What’s more worrisome is that multiple groups of attackers are already exploiting these flaws — for at least 2 years as zero-days in the wild — to target individuals from various industries and organizations, MSSPs from Saudi Arabia and Israel, and journalists in Europe.
“With very limited data, we were able to see that at least six organizations were impacted by this vulnerability – and the full scope of abuse of this vulnerability is enormous,” the researchers said.
“While ZecOps refrain from attributing these attacks to a specific threat actor, we are aware that at least one ‘hackers-for-hire’ organization is selling exploits using vulnerabilities that leverage email addresses as the main identifier.”
ZecOps said it notified Apple on February 19. Initially, ZecOps reported what appeared to be a regular security bug, and worked with Apple to patch the issue. Apple published a patch for this bug on April 15, with the release of iOS 13.4.5 beta.
Things, however, changed on Monday, when ZecOps said it discovered evidence in customer logs of attempts to exploit this issue. The company published its report today in order to notify iOS users of the attacks and the need to install the iOS 13.4.5 release once it becomes generally available.