Researchers at Google’s security team have uncovered a prolonged attempt to hack Apple’s iPhone devices.
The ‘sustained effort’ has lasted at least two years, and may have gone undetected for even longer.
Experts explained that the attackers managed to gather data from the victims’ smartphones by planting malicious software on their devices. The software would relay contact information, as well as images and other private data back to the hackers.
The malware was downloaded when victims visited particular websites set-up specifically for the attacks. These sites are thought to have seen thousands of visits each week.
Ian Beer, a British cybersecurity expert, shared the details of the attacks in a series of posts online. Beer is part of ‘Project Zero’, a taskforce set up by Google with the aim of seeking out security vulnerabilities.
Beer explained that “there was no targeted discrimination” and that “simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant”.
Project Zero discovered 12 separate security flaws which were exploited by the hackers to gain access to devices. The default browser in Apple devices, Safari, was found to contain the majority of the bugs.
Once planted on a user’s phone, the software had access to a large amount of personal data. It would send information back to the attacker’s servers every 60 seconds. This information included contacts, images, and even GPS location data.
The software was also able to compromise the data contained within apps such as Instagram and WhatsApp, and even Google products such as Gmail and Hangouts.
Beer further explained that the attackers were able to carry out attacks on “almost every version from iOS 10 through to the latest version of iOS 12” and that “this indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.”
The team have not speculated on the identities of the attackers or how much the tool or data may have been worth on the black market. In the past, tools that facilitate attacks like this have sold for several million dollars.
Project Zero notified Apple of the attacks back in February. Six days later Apple released an update to its iOS software that looked to plug the holes the attackers were exploiting. The notes on the update detailed fixes to issues whereby “an application may be able to gain elevated privileges” and “an application may be able to execute arbitrary code with kernel privileges”.
iPhone users have been advised to make sure they are running the latest iteration of iOS in order to protect themselves from being hacked. This is done by going to ‘Settings’, then ‘General’ and then ‘Software Update’.
The current version of the software is iOS 12.4.1. If your device has not been updated to the latest version of the software, you can do so from within the ‘Software Update’ tab itself.
Apple has not yet commented on the situation.