Google uncovers collection of malicious sites that secretly hacked iPhones for years

Messages on iPhone
Messages on iPhone (Image credit: iMore)

What you need to know

  • Google's Threat Analysis Group (TAG) found a number of malicious websites that were being used to attack iPhones.
  • The malicious websites were reportedly targeting iPhone users for a period of at least two years.
  • iOS vulnerabilities that were being exploited by hackers were patched after Google reported its findings to Apple.

The Project Zero team at Google has announced that it discovered a small collection of hacked websites that were being used to attack iPhones. According to the Project Zero team, merely visiting these hacked websites was enough for the exploit servers to attack the visitor's iPhone.

Google's Threat Analysis Group (TAG) collected a total of five unique iPhone exploit chains, which covered every version from iOS 10 up to the latest iOS 12 version. Once the attackers gained access to a device and a monitoring implant was installed, they could access sensitive information such as the user's photos, messages, location data, and more.

As noted by Motherboard, the attackers could also access the user's keychain, which includes passwords and databases for end-to-end encrypted messaging apps such as WhatsApp and iMessage. Some of the attacks were made using zero-day exploits, which used vulnerabilities that Apple wasn't aware of.

Even though the implants would get removed once an infected iPhone was rebooted, attackers could still access user's accounts and services with the help of the authentication tokens stolen from the keychain. The vulnerabilities were patched (opens in new tab) after they were reported to Apple by Google in February this year.

You can read more about the five exploit chains that were being used to attack iPhones on the Project Zero blog.

Babu Mohan
  • This is really disturbing. All the more so when one considers how many regular folks out there selected Apple for it's supposed security.
  • Google reported it to Apple and they fixed it less than a week later. Not great, not terrible.
  • Its a bit more serious than that. Apple has asserted for years that its products are safe. Privacy is a human right, what happens on your iPhone stays on your iPhone, etc. 2 1/2 years ago, those statements became factually false. Thats when the breach approximately occurred. In February of 2019, Apple became aware that their assertions as to security were false. They never disclosed in the last 7 months that for the prior two years their devices were insecure. If Google had not blown the whistle, we would never have known. That is a very serious problem. A number of questions come to mind. How many Apple executives who had knowledge of this issue made stock sales in the last 7 months? How many customers relied on Apple’s assertions as to the security of their products? The lawsuits that are probably being drafted right now will be interesting to say the least.