AP

Two-year operation indiscriminately infects iPhones with spyware

Aug 30, 2019, 6:27 PM | Updated: 6:49 pm

AP Photo/Marcio Jose Sanchez, File...

AP Photo/Marcio Jose Sanchez, File

(AP) — Researchers say suspected nation-state hackers infected Apple iPhones with spyware for over two years. On Friday, security experts called the hacking an alarming security failure for a company whose calling card is privacy.

Just visiting one of a small number of tainted websites could infect an iPhone. The implant was capable of sending information from the smartphone to the cybercriminals behind the operation. The personal information included text messages, email, photos, and real-time location data.

“This is definitely the most serious iPhone hacking incident that’s ever been brought to public attention, both because of the indiscriminate targeting and the amount of data compromised by the implant,” said former U.S. government hacker Jake Williams, the president of Rendition Security.

Apple quietly patched the problem

Announced late Thursday by Google researchers, the last of the vulnerabilities were quietly fixed by Apple by February but only after thousands of iPhone users were believed exposed over more than two years.

The researchers did not identify the websites used to seed the spyware or their location. They also did not say who was behind the cyber espionage or what population was targeted, but experts said the operation had the hallmarks of a nation-state effort.

Williams said the spyware implant wasn’t written to transmit stolen data securely, indicating the hackers were not concerned about getting caught. That suggests an authoritarian state was behind it. He speculated that it was likely used to target political dissidents.

Affected apps include text messages, Gmail

Sensitive data accessed by the spyware included WhatsApp, iMessage and Telegram text messages, Gmail, photos, contacts and real-time location — essentially all the databases on the victim’s phone. While the messaging applications may encrypt data in transit, it is readable at rest on iPhones.

Google researcher Ian Beer said in a blog posted late Thursday that the discovery should dispel any notion that it costs a million dollars to successfully hack an iPhone. That’s a reference to the case of a United Arab Emirates dissident whose iPhone was infected in 2016 with so-called zero-day exploits, which have been known to fetch such high prices.

“Zero day” refers to the fact that such exploits are unknown to the developers of the affected software, and thus they have had no time to develop patches to fix it.
The discovery, involving 14 such vulnerabilities, was made by Google researchers at Project Zero, which hunts the security flaws in software and microprocessor firmware, independent of their manufacturer, that criminals, state-sponsored hackers and intelligence agencies use.

“This should serve as a wake-up call to folks,” said Will Strafach, a mobile security expert with Sudo Security. “Anyone on any platform could potentially get infected with malware.”

Popular, busy apps targeted

Beer said his team estimated that the infected websites used in the “indiscriminate watering hole attacks” receive thousands of visitors per week. He said the team collected five separate chains of exploits covering Apple’s iOS system as far back as version 10, released in 2016.

Apple did not respond to requests for comment on why it did not detect the vulnerabilities on its own and if it can assure users that such a general attack could not happen again. Privacy assurance is central to the Apple brand.

Neither Google nor Beer responded to questions about the attackers or the targets, though Beer provided a hint in his blog post: “To be targeted might mean simply being born in a certain geographic region or being part of a certain ethnic group.”

Game-changing attack

Security manager Matt Lourens at Check Point Software Technologies called the development an alarming game-changer. He said that while iPhone owners previously compromised by zero days were high-value targets, a more widespread seeding of spyware at a lower cost per infection has now been shown possible.

“This should absolutely reshape the way corporations view the use of mobile devices for corporate applications, and the security risk it introduces to the individual and/or organization,” Lourens said in an email.

In his blog post, the Google researcher Beer warned that absolute digital security can’t be guaranteed.

Smartphone users must ultimately “be conscious of the fact that mass exploitation still exists and behave accordingly;” he wrote, “treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.”

___
AP Cybersecurity Writer Frank Bajak on Twitter: https://twitter.com/fbajak

 

We want to hear from you.

Have a story idea or tip? Send it to the KSL NewsRadio team here.

AP

WASHINGTON, DC - JANUARY 4: A view of the U.S. Supreme Court on Thursday morning January 4, 2024 in...

MARK SHERMAN

Supreme Court again confronts the issue of abortion, this time over access to widely used pill

Two years after the Supreme Court overturned Roe v. Wade and cleared the way for bans or severe restrictions on abortion in many Republican-led states, abortion opponents on Tuesday will ask the high court to ratify a ruling from a conservative federal appeals court that would limit access to the medication mifepristone, which was used in nearly two-thirds of all abortions in the United States last year.

3 days ago

File - The Instagram logo is seen on a cell phone in Boston, USA, Oct. 14, 2022. Instagram has star...

Associated Press

New Instagram feature limits display of political content

Instagram has started an automatic clamp down on the amount of political content appearing in its users' feeds.

3 days ago

ghost army Congressional gold medal ceremony...

JAMIE STENGLE Associated Press

Ghost Army members who staged secret WWII battlefield deceptions awarded Congressional Gold Medal

Three of the seven known surviving members attended the ceremony at the U.S. Capitol.

7 days ago

Brigham Young Cougars center Aly Khalifa (50) shoots against the UCF Knights at the Marriott Center...

DAVE SKRETTA AP Basketball Writer

BYU’s Aly Khalifa heads into March Madness without food or water while observing Ramadan

It is a fast Khalifa is embarking on willingly, yet one that carries with it unusual challenges during the NCAA Tournament.

8 days ago

A JetBlue airplane is seen, March 16, 2017, at John F. Kennedy International Airport in New York....

The Associated Press 

JetBlue will drop some cities and reduce LA flights to focus on more profitable routes

JetBlue Airways will end service at several cities and reduce flying out of Los Angeles in a move to focus on stronger markets.

8 days ago

Two shades of purple tulips combine with a spring garden of emerging red-leafed lettuce. (Netherlan...

Mike Corder

AI robots are spotting sick tulips in Dutch bulb fields

As part of efforts to tackle the virus, there are 45 robots patrolling tulip fields across the Netherlands as the weather warms up.

9 days ago

Sponsored Articles

Mother and cute toddler child in a little fancy wooden cottage, reading a book, drinking tea and en...

Visit Bear Lake

How to find the best winter lodging in Bear Lake, Utah

Winter lodging in Bear Lake can be more limited than in the summer, but with some careful planning you can easily book your next winter trip.

Happy family in winter clothing at the ski resort, winter time, watching at mountains in front of t...

Visit Bear Lake

Ski more for less: Affordable ski resorts near Bear Lake, Utah

Plan your perfect ski getaway in Bear Lake this winter, with pristine slopes, affordable tickets, and breathtaking scenery.

front of the Butch Cassidy museum with a man in a cowboy hat standing in the doorway...

Bear Lake Convention and Visitors Bureau

Looking Back: The History of Bear Lake

The history of Bear Lake is full of fascinating stories. At over 250,000 years old, the lake has seen generations of people visit its shores.

silhouette of a family looking over a lake with a bird in the top corner flying...

Bear Lake Convention and Visitors Bureau

8 Fun Activities To Do in Bear Lake Without Getting in the Water

Bear Lake offers plenty of activities for the whole family to enjoy without having to get in the water. Catch 8 of our favorite activities.

Wellsville Mountains in the spring with a pond in the foreground...

Wasatch Property Management

Advantages of Renting Over Owning a Home

Renting allows you to enjoy luxury amenities and low maintenance without the long-term commitment and responsibilities of owning a home.

Clouds over a red rock vista in Hurricane, Utah...

Wasatch Property Management

Why Southern Utah is a Retirement Paradise

Retirement in southern Utah offers plenty of cultural and recreational opportunities. Find out all that this region has to offer.

Two-year operation indiscriminately infects iPhones with spyware