The hacks use zero-interaction malware on different unnamed sites that receive thousands of visitors every week and by viewing such sites, without even clicking or scrolling the malware could install a monitoring implant onto users’ iPhone.
The search engine giant revealed that the implant could “steal private data like iMessages, photos and GPS location in real-time”; the hacks could access users’ keychains, password data, as well as information of messages sent and received from Google Hangouts, WhatsApp, iMessage, and Telegram.
The malware can be removed if the iphone is rebooted however, any information that was obtained during the infection could still leave the device vulnerable to attack. The hacks were randomly chosen but they did target a specific community but were otherwise indiscriminate
Google’s security research initiative Project Zero posted a “very deep dive” detailing the exploits, which their Threat Analysis Group discovered and disclosed to Apple in February 2019.
The team found five “separate, complete and unique” exploit chains using 14 vulnerabilities. Several were zero-day, meaning Apple was unaware of them at the time of Project Zero’s discovery; Apple patched these within the seven-day deadline Google gave in iOS 12.1.4, the same February 7 update that patched the infamous Group FaceTime vulnerability.
The exploits date back to iOS 10 and through updates of iOS 12.1.2, encompassing “almost every version” in that timeframe.
The number of Apple exploits discovered appears to have risen sharply over the past year. At the end of July, Project Zero revealed six zero-interaction security bugs that could be exploited through iMessage, only five of which Apple had managed to patch by the time the Google team revealed them. And in August, news broke of the SQLite vulnerability, as demonstrated at DEFCON 2019 using the iOS Contacts app, as well as the vulnerability to the Bluetooth-based “KNOB” attack that affected every iPhone and iPad.