Skip to Content
MIT Technology Review

Websites have been quietly hacking iPhones for years, says Google

Websites delivered iOS malware to thousands of visitors in the biggest iPhone hack ever. There’s no telling who was infected—or who was behind it.

iPhone xiPhone x
iPhone x
AP
  • Malware could steal passwords, encrypted messages and contacts
  • It's not clear who was behind the hacking campaign or who was targeted
  • If you have updated your iPhone you are protected

The largest ever known attack against iPhone users lasted at least two years and hit potentially thousands of people, according to research published by Google. 

The malware could ransack the entire iPhone to steal passwords, encrypted messages, location, contacts, and other extremely sensitive information. The data was then sent to a command and control server which the hackers used to run the operation. The scope, execution, and persistence of the unprecedented hacking campaign points to a potential nation-backed operation but the identity of both the hackers and their targets is still unknown.  

“The data taken is the ‘juicy’ data," says Jonathan Levin, an author of three books on the internals of Apple's operating systems. "Take all the passwords from the keychain, location data, chats/contacts/etc, and build a shadow network of connections of all your victims. Surely by six degrees of separation you'll find interesting targets there."

Apple patched the bugs quickly in February 2019 so everyone who has updated their iPhone since then is protected. Rebooting the iPhone wiped the malware but the data had already been taken. Exactly who was infected remains an open question. iPhone users themselves likely wouldn’t know because the malware runs in the background with no visual indicator and no way for an iOS user to view the processes running on the device. 

In January 2019, Google’s Threat Analysis Group (TAG), the tech giant’s counterespionage specialists, first found hacked websites that were delivering malware to thousands of visitors per week. The tactic is known as a watering-hole attack: attackers lace carefully selected websites with malware and wait for expected visitors to arrive to be infected. Just visiting the site was enough to download the malware.

Google’s discovery included, over a period of years, five so-called "exploit chains" with 14 vulnerabilities including at least one active zero-day vulnerability, the term used to describe an exploitable bug undiscovered by a company like Apple. When one exploit chain was rendered useless by an Apple patch, the hacker quickly implemented the next one.

TAG passed the intelligence to Apple, who issued iOS patch 12.1.4 on February 7 with a fix, as well as to others within Google. Google’s Project Zero, the company’s security analysis team, has spent the last seven months dissecting these bugs.

"There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week," Google’s Ian Beer wrote.

It’s not clear who was infected. Google's Project Zero did not release key information including which websites were infected. It seems likely that neither Apple nor Google would have a full accounting of victims but there could be other clues, including which populations typically visit the infected website. 

So, who is behind it? There is an entire offensive hacking industry that creates and sells hacking tools to governments and companies around the world. NSO Group is the most famous but their tools have reportedly been tightly targeted. But Levin thinks the signs point to a nation state being behind this attack, as the model used is not something a typical hacker or small company could afford to run. 

The revelation instantly made waves throughout the cybersecurity industry. "This is the first time evidence has been found of such exploits being used massively, indiscriminately as ‘net fishing’ against whatever unsuspecting individuals end up visiting the infected websites," says Levin.

One of the most notable victims of iPhone malware ever is Ahmed Mansoor. Mansoor, a world-renowned human rights activist imprisoned for criticizing the United Arab Emirates government, is nicknamed “the million dollar dissident” because of the high cost of the malware used to hack his iPhone and spy on him.

Until now, the implication of the high prices had been that deploying these weapons is rare and tightly targeted. Exploiting Apple’s iOS operating system, the software that powers both the iPhone and iPad, is a complex and expensive process. "iOS exploitation requires sidestepping and bypassing Apple's formidable defenses, in multiple layers," says Levin. Google’s discovery throws some of those assumptions in the air.

It will also upend perceptions of the security of iPhones. High-risk individuals including journalists, lawyers, activists, and more use iPhones in the hope that the devices will provide a real defense against hackers who, in some cases, can be a genuine life or death threat.

“Real users make risk decisions based on the public perception of the security of these devices,” Beer wrote. “The reality remains that security protections will never eliminate the risk of attack if you're being targeted."