A new report from Vice today details discoveries made by Google Project Zero researchers that “may be one of the largest attacks against iPhone users ever.” The basis of the attacks is a series of hacked websites, which were randomly distributing malware to iPhone users.
In a blog post, Project Zero’s Ian Beer explained that there was “no target discrimination” when it came to this series of attacks. Users could be impacted by simply visiting one of the hacked sites, which were said to be receiving thousands of views per week.
Google’s Threat Analysis Group detected a set of five separate and complete iPhone exploit chains affecting iOS 10 through all versions of iOS 12. “This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years,” Beer wrote.
Once a user visited one of the malicious websites and the malware was deployed, the implant “primarily focused on stealing files and uploading live location data,” as often as every 60 seconds. Because the end device itself had been compromised, services like iMessage were also affected.
Beer says that Project Zero reported the issues to Apple with a 7-day deadline on February 1st, 2019 – and they were fixed in the release of iOS 12.1.4 on February 9th, 2019.
This chain of exploits is unique because many attacks are more targeted in scope, but this one affected anyone who happened to visit one of the infected websites.
The incredibly detailed analysis of iOS exploit chains found in the wild can be read on Google’s Project Zero blog. Here, Ian Beer goes into more details about the security fixes Apple made in iOS 12.1.4, which included a fix for the FaceTime eavesdropping bug, as well as security issues discovered by the Project Zero team.