Google Discovered Malicious Websites Used to Hack iPhones for Years

Google Discovered Malicious Websites Used to Hack iPhones for Years

Apple likes to talk up its focus on security and privacy, but iPhone owners have unknowingly been targets of an indiscriminate and severe hacking campaign for at least two years. Google’s Project Zero team uncovered the scheme, which used websites loaded with unpatched exploits to install malware on iPhones that could track user locations, steal files, and more. Apple patched the flaws after they were reported, but we’re only now finding out the scale of the attack.

According to Google, its researchers discovered the malicious websites in early 2019. Currently, the team believes the network of hacking sites had been operating for more than two years, attracting thousands of visitors per week. Unsuspecting iPhone users who visited the pages would come away with malware running as root on their devices — that’s the highest level of software privileges that even the device owner doesn’t have on iOS.

Project Zero researchers identified five different exploit chains in the wild, leveraging 12 distinct security flaws. Seven of them involved the Safari browser engine, which even third-party browsers have to use. This wasn’t just targeting some archaic version of iOS, either. The attacks covered almost every version of iOS 10 through the latest iOS 12. After implanting the malware on iPhones, attackers could track user locations, copy photos, and even access the user’s on-device password storage.

Again, this all happens silently in the browser. For all the fretting over malicious code popping up in apps for both Android and iOS, this is much more severe because the attackers don’t have to trick users into installing anything. It’s been a long time since zero-day browser-based hacks like this have shown up in the wild. Years back, there were websites you could visit that would use exploits to instantly jailbreak iPhones. Modern security practices ended easy browser hacking, or so we thought.

Google Discovered Malicious Websites Used to Hack iPhones for Years

Google reported the flaws privately to Apple in February, but it gave Apple just one week to roll out patches. That’s much shorter than the customary 90-day disclosure timeline. That drives home the seriousness of the attack. Not only is the impact on users severe, but the attackers were also actively infecting thousands of phones per week. Apple rolled out an update (iOS 12.1.4) six days later to fix the flaws.

If there’s any bright spot in all of this, it’s that the attackers didn’t seem to have any particular target. Their victims were anyone unlucky enough to click on the malicious web link. While this hole is patched, the campaign carried on for two years. There could be other active exploits in the wild right now that no one in the security community knows about.

Continue reading

Google Combats Malicious Software With New Chrome Badges
Google Combats Malicious Software With New Chrome Badges

Some think the badges were introduced to help fight a longstanding issue in which bad actors were purchasing existing extensions, then turning them into adware.

EU Considers Banning Kaspersky Software ‘Confirmed as Malicious’
EU Considers Banning Kaspersky Software ‘Confirmed as Malicious’

The EU has passed a directive calling for the end of using Kaspersky products after they've been "proven malicious." That particular bar hasn't quite been met, at least not publicly.

Malicious USB Cables Embed Wi-Fi, Can Remotely Control Connected PC
Malicious USB Cables Embed Wi-Fi, Can Remotely Control Connected PC

Forget bad USB drives — now we need to worry about malware-loaded USB cables.