In what appears to be one of the deadliest attacks ever to grace the iOS land, Google has revealed a report stating hacked websites have been utilized to deploy malicious codes in iPhones, for years. Despite Apple being security-centric for iOS, threats in their mobile OS have risen sharply recently.
The latest threat discovered by Google’s Project Zero team states that hacked sites were used by hackers to deliver malware to iPhones randomly. Although the team also notes the choice of sites appeared to target “certain communities.” The websites in question received thousands of traffic weekly and have been running for years, according to Google.
The worst part is, the malware needed zero interaction (zero-interaction malware) to be implanted to an iPhone. So long as the user visited one of the websites, the malware was implanted to their device even without clicking or scrolling.
“The implant is primarily focused on stealing files and uploading live location data. The implant requests commands from a command and control server every 60 seconds,” Ian Beer, from Google’s Project Zero, wrote in a blog post.
A successful implant could mean hackers could be able to “steal private data like iMessages, photos, and GPS location in real-time.” It also gave access to users’ keychain that contains their password data. Besides, the malware also accessed databases of various end-to-end encrypted messaging apps, such as Telegram, WhatsApp, and iMessage.
However, there is a minor workaround for this malware. Rebooting your iPhone wipes the malware. But worse, still, “the breadth of information stolen” leaves the hacker able to “maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain.”
The team discovered five “separate, complete and unique” exploit chains using 14 vulnerabilities “covering almost every version from iOS 10 through to the latest version of iOS 12.” Some of which were unknown to Apple.
However, Mashable notes Apple patched all of them in the iOS 12.1.4 update rolled out on 7th Feb.
Apple has not yet responded on the matter, as per the time of this writing.