Earlier this year Google’s Threat Analysis Group (TAG) discovered that a small collection of hacked websites was being used to carry out indiscriminate watering-hole attacks against visitors, using iPhone zero-day.
Victims were ensnared just by visiting one of the hacked websites, which are estimated to have attracted thousands of visitors per week. This simple action alone was enough to inadvertently trigger an exploit server to attempt to install a monitoring implant on the user’s device.
Hackers exploited flaws in iPhone software to stealthily take over a victim’s device and access a user’s contact info, media files and GPS location, together with data from Instagram, WhatsApp, Telegram and Gmail.
TAG collected five separate, complete and unique iPhone exploit chains, covering most versions of the device from iOS 10 through to the most recent version, iOS 12.
“This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years,” said Project Zero’s Ian Beer.
He went on to say that investigations into the root causes of the vulnerabilities revealed code that appeared to have never worked correctly, had missed the quality assurance checks or “likely had little testing or review before being shipped to users.”
TAG found 14 different software flaws, seven of which affected the iPhone’s Safari web browser. The group reported the issues to Apple with a seven-day deadline on February 1, 2019, which resulted in the out-of-band release of iOS 12.1.4 on February 7, 2019.
After summarizing the findings, Beer warned users to wise up to the very real threat of cyber-attacks and to consider where the data they constantly put into their devices may one day end up.
He said: “The reality remains that security protections will never eliminate the risk of attack if you’re being targeted.
“All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives yet also as devices which, when compromised, can upload their every action into a database to potentially be used against them.”
Source: Infosecurity Magazine