Has Your iPhone Been Hacked? Google Reveals Malware Attack That's Been Happening for Years

For at least two years, hackers engaged in a sustained malware attack on iPhone users, potentially infecting thousands of phones.

The malware was capable of stealing passwords, encrypted messages, chat histories, location data and the iPhone's complete contacts database. Information was then sent to a "command and control" server operated by an unknown hacker or hackers, uploading new data every minute. The hack could include data from popular apps like WhatsApp, Telegram, iMessage and Gmail.

All that was required to be a victim of the hack was visiting specific websites.

The attack was first discovered in January by Google's counter-espionage team, the Threat Analysis Group (TAG), and exposed in detail by Google's Project Zero, a team of security analysts tasked with hunting down vulnerabilities in software. After finding hacked websites delivering malware as part of a "watering hole" attack (in which visitors are infected with malware by visiting a site, rather than seeking out victims via "phishing" or other directed email attacks), TAG reported the vulnerability to Apple.

In October 2018, Lookout head of security Mike Murray held a briefing on Capitol Hill about how hackers could use malware to disrupt the US elections by targeting candidates, journalists and activists. ROB LEVER/AFP/Getty Images

After TAG discovered the infected sites, Project Zero analyzed five "exploit chains," which allowed for iPhone hacking to continue across multiple updates, affecting most versions of the iPhone software between iOS 10 and iOS 12. "This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years," Project Zero's Ian Beer wrote.

The exploits depended on Apple software code "which seems to have never worked, code that likely skipped QA or likely had little testing or review before being shipped to users," Beers added.

Thousands of site visitors were infected by the malware every week, though the full scale of the hack is still unclear. Neither Google nor Apple have yet revealed what websites were serving malware and whether or not the hackers were targeting specific communities. The MIT Technology Review cites iOS expert Jonathan Levin, who believes the scale and sophistication of the hack points to a nation, rather than an individual or other group.

Has Your iPhone Been Hacked?

WhatsApp was the target of a previous cybersecurity breach which resulted in some uncomfortable conclusions for iPhone users, who may never learn whether their data has been stolen in a iOS software breach. Justin Sullivan/Getty Images

After TAG passed the exploit discoveries to Apple, the iPhone manufacturer patched the vulnerability in a February 7 update (version 12.1.4) that wiped the malware from existing phones and protected all subsequent iPhones. However, the scale of its impact remains unknown. There is no simple way for iPhone users to determine whether or not their phone has been infected, as the malware runs in the background with no clear indication. Beyond ensuring one's software version is 12.1.4 or newer, there's nothing iPhone users can do to determine whether or not they were a victim of the hack.

Previously, exploiting Apple's iOS operating system was believed to depend upon targeting individual iPhones, with the expense and difficulty of maintaining channels of possible exploitation limiting malware attacks to intelligence or counterintelligence operations with specific targets.

In May, select iPhone users were targeted through a vulnerability in WhatsApp. The attack had "all the hallmarks," according to WhatsApp, of a private company that reportedly "works with governments to deliver spyware that takes over functions of mobile phone operating systems." The accusation was widely interpreted as directed at the NSO Group, an Israeli cybersecurity firm that provides hacking technology to "authorized governments."

As with this latest, far more widespread, iPhone hack, the WhatsApp exploit revealed how difficult it can be for iPhone users to determine whether or not they've had data stolen from their device. Watchdog groups like Amnesty International place the blame partially on Apple itself, who has routinely kept security controls inaccessible to the public and researchers.

"These security controls have made mobile devices extremely difficult to inspect, especially remotely, and particularly for those of us working in human rights organizations lacking access to adequate forensic technology," Amnesty technologist Claudio Guarnieri told Vice in May. "Because of this, we are rarely able to confirm infections of those who we even already suspect are being targeted."