AP

Two-year operation indiscriminately infects iPhones with spyware

Aug 30, 2019, 6:27 PM | Updated: 6:49 pm
AP Photo/Marcio Jose Sanchez, File...
AP Photo/Marcio Jose Sanchez, File

(AP) — Researchers say suspected nation-state hackers infected Apple iPhones with spyware for over two years. On Friday, security experts called the hacking an alarming security failure for a company whose calling card is privacy.

Just visiting one of a small number of tainted websites could infect an iPhone. The implant was capable of sending information from the smartphone to the cybercriminals behind the operation. The personal information included text messages, email, photos, and real-time location data.

“This is definitely the most serious iPhone hacking incident that’s ever been brought to public attention, both because of the indiscriminate targeting and the amount of data compromised by the implant,” said former U.S. government hacker Jake Williams, the president of Rendition Security.

Apple quietly patched the problem

Announced late Thursday by Google researchers, the last of the vulnerabilities were quietly fixed by Apple by February but only after thousands of iPhone users were believed exposed over more than two years.

The researchers did not identify the websites used to seed the spyware or their location. They also did not say who was behind the cyber espionage or what population was targeted, but experts said the operation had the hallmarks of a nation-state effort.

Williams said the spyware implant wasn’t written to transmit stolen data securely, indicating the hackers were not concerned about getting caught. That suggests an authoritarian state was behind it. He speculated that it was likely used to target political dissidents.

Affected apps include text messages, Gmail

Sensitive data accessed by the spyware included WhatsApp, iMessage and Telegram text messages, Gmail, photos, contacts and real-time location — essentially all the databases on the victim’s phone. While the messaging applications may encrypt data in transit, it is readable at rest on iPhones.

Google researcher Ian Beer said in a blog posted late Thursday that the discovery should dispel any notion that it costs a million dollars to successfully hack an iPhone. That’s a reference to the case of a United Arab Emirates dissident whose iPhone was infected in 2016 with so-called zero-day exploits, which have been known to fetch such high prices.

“Zero day” refers to the fact that such exploits are unknown to the developers of the affected software, and thus they have had no time to develop patches to fix it.
The discovery, involving 14 such vulnerabilities, was made by Google researchers at Project Zero, which hunts the security flaws in software and microprocessor firmware, independent of their manufacturer, that criminals, state-sponsored hackers and intelligence agencies use.

“This should serve as a wake-up call to folks,” said Will Strafach, a mobile security expert with Sudo Security. “Anyone on any platform could potentially get infected with malware.”

Popular, busy apps targeted

Beer said his team estimated that the infected websites used in the “indiscriminate watering hole attacks” receive thousands of visitors per week. He said the team collected five separate chains of exploits covering Apple’s iOS system as far back as version 10, released in 2016.

Apple did not respond to requests for comment on why it did not detect the vulnerabilities on its own and if it can assure users that such a general attack could not happen again. Privacy assurance is central to the Apple brand.

Neither Google nor Beer responded to questions about the attackers or the targets, though Beer provided a hint in his blog post: “To be targeted might mean simply being born in a certain geographic region or being part of a certain ethnic group.”

Game-changing attack

Security manager Matt Lourens at Check Point Software Technologies called the development an alarming game-changer. He said that while iPhone owners previously compromised by zero days were high-value targets, a more widespread seeding of spyware at a lower cost per infection has now been shown possible.

“This should absolutely reshape the way corporations view the use of mobile devices for corporate applications, and the security risk it introduces to the individual and/or organization,” Lourens said in an email.

In his blog post, the Google researcher Beer warned that absolute digital security can’t be guaranteed.

Smartphone users must ultimately “be conscious of the fact that mass exploitation still exists and behave accordingly;” he wrote, “treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.”

___
AP Cybersecurity Writer Frank Bajak on Twitter: https://twitter.com/fbajak

 

We want to hear from you.

Have a story idea or tip? Send it to the KSL NewsRadio team here.

Today’s Top Stories

AP

quit their jobs...
PAUL WISEMAN AP Economics Writer

US added a strong 517,000 jobs in January despite Fed hikes

The Fed is aiming to achieve a "soft landing" — a pullback in the economy that is enough to tame high inflation without triggering recession.
2 days ago
Thousands of fraudulent nursing diplomas  were dispersed in Florida. (Canva)...
Associated Press via Miami Herald

Fake nursing diploma scheme in Florida; 25 arrested

The defendants each face up to 20 years in prison.
3 days ago
Microsoft is cutting 10,000 workers, almost 5% of its workforce, in response to "macroeconomic cond...
MATT O'BRIEN, Associated Press

Job cuts in tech sector spread, Microsoft lays off 10,000

Microsoft said in a regulatory filing Wednesday that had just notified employees of the layoffs, some of which begin immediately.
18 days ago
exxon mobil sign pictured...
SETH BORENSTEIN and CATHY BUSSEWITZ Associated Press

Study: Exxon Mobil accurately predicted warming since 1970s

Exxon said its understanding of climate change evolved over the years and that critics are misunderstanding its earlier research.
24 days ago
FILE - Protesters, supporters of Brazil's former President Jair Bolsonaro, stand on the roof of the...
The Associated Press

Brazil and Jan. 6 in US: Parallel attacks, but not identical

RIO DE JANIERO, Brazil — Enraged protesters broke into government buildings that are the very symbol of their country’s democracy. Driven by conspiracy theories about their candidate’s loss in the last election, they smashed windows, sifted through the desks of lawmakers and trashed the highest offices in the land in a rampage that lasted hours […]
26 days ago
President Joe Biden pictured...
ZEKE MILLER AP White House Correspondent

DOJ reviewing potentially classified docs at Biden center

Special counsel to the president Richard Sauber said “a small number of documents with classified markings” were discovered at the offices of the Penn Biden Center.
27 days ago

Sponsored Articles

Banner with Cervical Cancer Awareness Realistic Ribbon...
Intermountain Health

Five Common Causes of Cervical Cancer – and What You Can Do to Lower Your Risk

January is National Cervical Cancer Awareness month and cancer experts at Intermountain Health are working to educate women about cervical cancer, the tests that can warn women about potential cancer, and the importance of vaccination.
Kid holding a cisco fish at winterfest...
Bear Lake Convention and Visitors Bureau

Get Ready for Fun at the 2023 Bear Lake Monster Winterfest

The Bear Lake Monster Winterfest is an annual weekend event jam-packed full of fun activities the whole family can enjoy. This year the event will be held from January 27-29 at the Utah Bear Lake State Park Marina and Sunrise Resort and Event Center in Garden City, Utah. 
happy friends with sparklers at christmas dinner...
Macey's

15 Easy Christmas Dinner Ideas

We’ve scoured the web for you and narrowed down a few of our favorite Christmas dinner ideas to make your planning easy. Choose from the dishes we’ve highlighted to plan your meal or start brainstorming your own meal plan a couple of weeks before to make sure you have time to shop and prepare.
Spicy Homemade Loaded Taters Tots...
Macey's

5 Game Day Snacks for the Whole Family (with recipes!)

Try these game day snacks to make watching football at home with your family feel like a special occasion. 
Happy joyful smiling casual satisfied woman learning and communicates in sign language online using...
Sorenson

The Best Tools for Deaf and Hard-of-Hearing Workplace Success

Here are some of the best resources to make your workplace work better for Deaf and hard-of-hearing employees.
Team supporters celebrating at a tailgate party...
Macey's

8 Delicious Tailgate Foods That Require Zero Prep Work

In a hurry? These 8 tailgate foods take zero prep work, so you can fuel up and get back to what matters most: getting hyped for your favorite
Two-year operation indiscriminately infects iPhones with spyware