By exploiting a weakness in the technology’s operating systems, hackers planted spyware on iPhones over a two-year period, Google said Friday.
The culprits targeted a number of infected websites which, when visited by iPhone users, infected the devices and installed malware in some cases, as said by Ian Beer of Project Zero, a team of Google security analysts which investigates cybercrime.
In a blog post, Beer wrote, “There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week.”
With the implant, hackers were able to access Apple customers’ information including their passwords and personal contacts in addition to messages sent through WhatsApp, iMessage, Gmail and Google Hangouts, said the Project Zero researchers.
From iOS 10 through to the newest version of iOS 12, nearly every version of Apple’s iPhone operating system was vulnerable, according to Beer. Yet, it’s uncertain how many users might have fallen victim.
Old bug but new hack
The security bugs identified by Beer aren’t new, but were exploited in new ways.
Operating system internal researcher Jonathan Levin said, “Ian shows this is the first time these types of vulnerabilities have been used out on the wide internet, where if the malicious code was present on a certain website that was accessed, the unsuspecting user would be infected, and remain blissfully ignorant of it.”
In this instance, no user intervention like a prompt to click on a link, was necessary for an iPhone to get attacked.
According to Levin, the scale of the hack implies it was backed a nation, not an individual. He told CBS MoneyWatch, “It requires a lot of research, and there has to be an endgame motive for this. It’s possible that those behind the hack targeted a specific demographic or interest groups.”
He added, “My personal hunch, because of the level of proficiency and efficacy of the exploits, is that this is not the work of your average hacker.”
Beer notes that there isn’t any definite way for iPhone users to protect themselves from security breaches. “All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.”
Google informed that it reported its discoveries to Apple in February, after which it brought out an updated operating system to fix the faults.
Android isn’t safe either
Levin said, while Beer focuses on some of the iPhone’s weaknesses, the attack shouldn’t be misinterpreted to imply that Google’s Android operating system is safer.
He added, “The takeaway shouldn’t be, ‘I’m going to use Android from now on because it’s more secure.’ That’s far from it. Similar and/or possibly worse bugs exist in Android and other operating systems as well. Google Project Zero simply chose to highlight iOS this time.”
Apple claims it is the most secure operating system and there is a good reason for it. Levin said, “Apple genuinely invests extreme efforts in securing iOS on multiple layers, down to their proprietary hardware, and in some aspects are still way ahead of Android.”