Google researchers reveal data-stealing, web-based iPhone exploit that was active for years


Researchers from Google have uncovered what appears to be a concentrated malware campaign targeting iPhones for at least two years. Thankfully, this may be over now, although they warn it’s possible there are others that are yet to be seen.

Project Zero, the search giant’s security team tasked with finding zero-day vulnerabilities in software, said they discovered a small collection of malicious websites that could be used to hack the devices, using previously undisclosed five different exploit chains.

The chains leveraged 14 different vulnerabilies that covered every version from iOS 10 all the way through iOS 12. Apple issued a patch in its iOS 12.1.4 update back in February after the team privately disclosed the flaws, and gave the iPhone maker just a week to fix them.

Project Zero normally adheres to a strict 90-day disclosure period, but the reduced deadline is indicative of the seriousness of the vulnerabilities involved.

“There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week,” Project Zero researcher Ian Beer said.

Credit: Project Zero