Google Project Zero discovers malicious websites that have been hacking iPhones for at least two years
Successful attacks enabled hackers to access passwords, messages and photos from iPhones and iPads
Google's Project Zero team claims to have uncovered several hacked websites found to be spreading malware to Apple iPhones for at least two years.
According to Google, the websites exploited a series of previously undisclosed security flaws to indiscriminately attack any iPhone that visited them. The websites have been operational for years and visited by thousands of users every week.
"There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant," said Ian Beer, a security researcher at Project Zero, in a blog post.
The websites exploited a series of previously undisclosed security flaws to indiscriminately attack any iPhone that visited them
A successful attack allowed hackers to steal users' messages and photos from the device and to track their location in near-real time. The malware also enabled the attackers to access the passwords saved by the user on the device.
The implant requested orders from a command and control (C&C) server every 60 seconds, according to Beer. However, it was not persistent and was wiped out if users rebooted their iPhones.
In total, five separate exploit chains including 14 security flaws were discovered by the researchers. Of those bugs, seven involved Safari, the in-built browser on iPhones. Five bugs impacted kernel while two were separate sandbox escapes.
The exploit chains covered iOS 10 through to the latest iOS 12 version.
Some of the attacks also used zero-day exploits. Such attacks can be highly effective in hacking computers or phones as the company has no idea about the flaw and therefore has not fixed the bug.
All the bugs in Apple's iOS were found earlier this year by Google researchers and were privately disclosed to Apple on 1st February. Google gave Apple only seven days to fix the bugs and to release updates to iPhone users.
Apple, however, was quick in its response and fixed those issues in just six days. On 7th February, it released iOS 12.1.4 for users of iPhone 5s, iPad Air and later.
Apple in general has a good reputation regarding its response on security matters. Earlier this month, the company announced that it was increasing its maximum bug bounty from $200,000 to $1 million in a bid to ensure security researchers turn-in any security flaws they find to Apple - rather than selling them on the grey market.
Earlier this week, the company released a fix for an iOS critical security flaw that was accidentally reintroduced in its last update.
The flaw, which was patched in iOS 12.3 but was unpatched in iOS 12.4, allowed targeted iPhones and iPads to be 'jailbroken', enabling attackers to implant malware or take control of the device.