Google reveals malicious websites were secretly used to hack into iPhones for years
Security researchers at Google have discovered a series of hacked websites that were delivering malware designed to hack iPhones over a period of at least two years. These websites, which were visited thousands of times a week, were being used to extensively attack their visitors using an iPhone zero-day exploit.
Just visiting a website was enough to allow hackers discreetly gather contacts, images and other data from a user’s iPhone.
“Earlier this year Google’s Threat Analysis Group (TAG) discovered a small collection of hacked websites. The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day,” Ian Beer, from Google’s Project Zero, wrote in a blog post published Thursday.
“There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week,” the post added.
Earlier this year, Google’s Threat Analysis Group (TAG) had discovered the secretive hacking operation when they came across the hacked sites.
During its investigation, Google’s TAG found a total of 14 iOS vulnerabilities across the five exploit chains: seven for the iPhone’s web browser, five for the kernel and two separate sandbox escapes, one of which was a zero-day. The group found five exploit chains covering “almost every version from iOS 10 through to iOS 12.”
Most of the security flaws were found within Safari, the default web browser on Apple devices, noted Beer. The iPhones affected range from iPhone 5s to iPhone X.
According to Google, once the malware was successfully installed on a user’s iPhone, the implant could access a huge amount of data, including iMessages, photos and GPS location in real-time. Additionally, it also had access to iPhone users’ keychain, a feature responsible to securely storing passwords and databases of end-to-end encrypted messaging apps like iMessage.
The malicious software would send back stolen data, including live user location data back to a “command and control server” every 60 seconds and relay back this information to an external server every 60 seconds.
The implant also could scoop up data from encrypted messenger apps like Instagram, Telegram and WhatsApp – and even Google apps like Gmail and Hangouts.
Thankfully, the malware is said to be non-persistent, which means it gets cleaned from an infected iPhone upon rebooting. In such a scenario, the “attackers may nevertheless be able to maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device,” notes Beer.
Since the implant is not saved on Apple devices, it can again provide access to hackers when the owner visits a “compromised site”, warned Beer.
Google had informed Apple of the attacks in February, for which Apple subsequently released a security patch for the iOS 12.1.
“We reported these issues to Apple with a 7-day deadline on 1 Feb 2019, which resulted in the out-of-band release of iOS 12.1.4 on 7 Feb 2019,” Beer said.
Apple disclosed Google’s findings in an accompanying support document.
In order to ensure that your Apple device is protected from the flaw, we recommended you to check if your device is running the most up-to-date version of iOS. The most recent update currently available is iOS 12.4.1.