Malicious Websites Were Used to Hack iPhones for Years, Google Says

The biggest known malware attack against iPhone users went on for two years - starting in 2017 - without anyone knowing, Google says in a new Project Zero research statement.

It may have hit thousands of people, though the exact figures aren't known. One thing that is known is that if you are an iPhone user and you have updated your iOS, you should be safe.

A nation-backed attack?

The malware, published in a Project Zero paper, could allow the malicious user to steal passwords, encrypted messages, contacts, location, and other sensitive information.

The hackers sent all of the stolen data to a single server from which they ran the operation.

As per the MIT Tech Review, the scope and successful execution of such a large attack may point to a potential nation-backed operation. Unfortunately, though, the perpetrators have not been discovered, and likely won't be.

iPhone users would be unlikely to know if they were being targeted by the malware, as it runs in the background with no visual indication that it is on the device.

“The data taken is the ‘juicy’ data," Jonathan Levin, a researcher who has written books on Apple's operating system, told MIT Tech Review.

"Take all the passwords from the keychain, location data, chats/contacts/etc., and build a shadow network of connections of all your victims. Surely by six degrees of separation, you'll find interesting targets there."

As per TechCrunch, Google privately disclosed the vulnerabilities to Apple in February, giving Apple only a week to fix them. Google's Project Zero would usually give 90 days. Given the severity of the vulnerabilities, they asked Apple to act fast.

Updates 

Apple patched the bug that allowed the malware to take effect just a week after they were made aware of the problem. Their patch was released on February 2019, so anyone who has updated their iOS since then is protected.

Thankfully, deploying this type of malware is very costly. As MIT Tech Review reports, hacking Apple's iOS operating system is a difficult and expensive process.

"iOS exploitation requires sidestepping and bypassing Apple's formidable defenses, in multiple layers," says Levin. Despite that, an unknown group of hackers was worryingly able to get through these layers and go undetected for a long time.