During the last two years, there have been sustained attempts to hack iPhones, evidence of which has been found by security researchers at Google.
According to Google, websites which would inconspicuously embed malevolent software to access contacts, images and other data were used by the hackers to carry out the attempted hacks.
Users had reportedly visited thousands of times per week the booby-trapped websites, Google’s analysis have suggested.
There were no comments available from Apple.
British cybersecurity expert Ian Beer, a member of Google’s Project Zero, shared the attacks in great detailed through a number of technical posts. Project Zero is a taskforce of Google created and tasked to locate and identify new security vulnerabilities, known as zero days.
“There was no target discrimination,” Beer wrote. “Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant.”
In order to hack into the devices of Apple, 12 separate security flaws were used by the hackers, discovered Beer and his team. Most of the flaws were within Safari, the default web browser that is loaded on Apple products.
Beer noted, after hacking into an iPhone the malicious software implant had the capacity to access large amounts of the data from the device which included – but was not limited to, the contacts, images and GPS location data stored in the devices. And then every 60 seconds, this information was relayed back to an external server,
Data from the apps a person was using on the iPhones , such as Instagram, WhatsApp and Telegram, was also stolen by the hackers through eth implanted software. Google products such as Gmail and Hangouts, the firm’s group video chat app, were laso included in the list of examples of Beer.
Beer added that the hackers were able to exploit “almost every version from iOS 10 through to the latest version of iOS 12”. “This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.”
Back in February, a software fix to address the flaw was issued by Apple.
Apple was notified about the vulnerabilities on February 1 this year by the Google’s team. Six days later, Apple subsequently released a patch to address the vulnerability. The notes to the Apple’s patch also refer to fixing an issue whereby “an application may be able to gain elevated privileges” and “an application may be able to execute arbitrary code with kernel privileges”.
In order to make sure they are adequately protected, users of iPhones should update their device to the latest software.
Google identified this attack “in the wild” – which means that this system was being used by cybercriminals when it was discovered, which is different from some of the other security disclosures which just offer theoretical uses of vulnerabilities.
No speculation about who could be behind the cyber attack was made by Beer’s analysis.
(Adapted from BBC.com)