Google researchers drop a bombshell- Targeted iPhone exploits from malicious websites dating back years

Share on facebook
Share on twitter
Share on linkedin
Share on pinterest
In Technology News by FL Computer Tech
apple iphone

A new report from Vice today details discoveries made by Google Project Zero researchers that “may be one of the largest attacks against iPhone users ever.” The basis of the attacks is a series of hacked websites, which were randomly distributing malware to iPhone users.

In a blog post, Project Zero’s Ian Beer explained that there was “no target discrimination” when it came to this series of attacks. Users could be impacted by simply visiting one of the hacked sites, which were said to be receiving thousands of views per week.

Google’s Threat Analysis Group detected a set of five separate and complete iPhone exploit chains affecting iOS 10 through all versions of iOS 12. “This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years,” Beer wrote.

Once a user visited one of the malicious websites and the malware was deployed, the implant “primarily focused on stealing files and uploading live location data,” as often as every 60 seconds. Because the end device itself had been compromised, services like iMessage were also affected.

Working with TAG, we discovered exploits for a total of fourteen vulnerabilities across the five exploit chains: seven for the iPhone’s web browser, five for the kernel and two separate sandbox escapes. Initial analysis indicated that at least one of the privilege escalation chains was still 0-day and unpatched at the time of discovery.

Beer says that Project Zero reported the issues to Apple with a 7-day deadline on February 1st, 2019 – and they were fixed in the release of iOS 12.1.4 on February 9th, 2019.

This chain of exploits is unique because many attacks are more targeted in scope, but this one affected anyone who happened to visit one of the infected websites.

To be targeted might mean simply being born in a certain geographic region or being part of a certain ethnic group. All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.

The incredibly detailed analysis of iOS exploit chains found in the wild can be read on Google’s Project Zero blog. Here, Ian Beer goes into more details about the security fixes Apple made in iOS 12.1.4, which included a fix for the FaceTime eavesdropping bug, as well as security issues discovered by the Project Zero team.

Michael Duff

Michael Duff

Leave a Replay

Our Latest News

Covid-19 News Website

FL Computer Tech Is dedicated to helping our country overcome The Coronavirus Pandemic that has already taken so many lives and has effectively shut down the greatest nation on our planet.  We have recently launched our Covid-19 FAQs website.  We will be adding important and useful resources on a regular basis.

Recent Posts

Cincinnati Children’s makes tough times easier

When Cincinnati Children’s Hospital needed a mobile app to help families manage care in tough times, they turned to #Microsoft @Azure to get the Caren app running seamlessly, faster. Check out the video for the full story, then contact FL Computer Tech to learn more.

Read More »

The DevOps Imperative: Keep Up or Get Lost

The software industry is moving orders of magnitude faster than what just recently was business as usual. The only way to sustain a high release cadence is to progress through the software development life cycle (SDLC) the right way the first time. Read this article from Forbes to learn how.

Read More »

Follow Us

Video Archive

Sign up for our Newsletter

Looking for the latest in technology news? Do you like tips, tricks and shortcuts? Sign up today!

Sign Up To Access Your FREE Report!

To access our 2019 Ransomware Report, please enter your email address and we’ll send the download link immediately.