Google on Thursday announced that it has discovered a number of hacked websites that have been found to be pushing malware to Apple iPhone users for at least two years. These websites, controlled by an unknown set of people, were being used to indiscriminately attack their visitors using a iPhone zero-day flaw. The search giant’s Project Zero Team hasn’t shared any details about these websites but it estimates that they were receiving thousands of visitors per week. Earlier this year, Google had revealed this iOS zero-day flaw without sharing any specifics.
“Earlier this year Google’s Threat Analysis Group (TAG) discovered a small collection of hacked websites. The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day,” Google’s Project Zero team wrote in a blog post.
“There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week,” the post added.
During its investigation, Google’s TAG was able to spot five exploit chains, covering almost every version from iOS 10 through to iOS 12, being used by the hackers to spy the data off unsuspecting iPhone users. These exploits chains were targeting a total of 14 vulnerabilities present on the Apple iPhones, seven in the Web browser, five in the kernel, and two sandbox escapes. At least one of the privilege escalation chains was found to be zero-day (previously undiscovered) and it was reported to Apple in February this year and the company patched it soon after in iOS 12.1.4. Google had publicly revealed the zero-day but hadn’t shared any details at the time.
According to Google, once the malware was successfully placed on an iPhone, it would steal files and upload live location data. It also had access to iPhone users’ keychain, which is used for storing metadata and sensitive information like passwords, as well as apps like WhatsApp, iMessage, and Telegram. While the end-to-end encryption on these apps protects the messages from being snooped on during transit, the malware’s presence of the device itself made the encryption moot.
Fortunately, the malware is said to be non-persistent, so if a user had rebooted their iPhone, the malware would get removed but the initial infection itself could have already delivered sensitive information to the hackers.
“Given the breadth of information stolen, the attackers may nevertheless be able to maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device,” Google’s Ian Beer wrote in a blog post.
Google’s revelations came on the same day as Apple sent out invites to the media for a press event on September 10 to announce the new iPhone models.