Researchers from Google’s Project Zero security initiative on Thursday announced their discovery of a “small collection” of hacked websites that for many years have hosted exploits targeting iPhone models, including the iPhone X, running the latest version of iOS 12.
Google says its Threat Analysis Group (TAG) uncovered the websites earlier this year. It is estimated the websites receive thousands of visitors per year.
“The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day,” writes Project Zero’s Ian Beer. “There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant.”
TAG says it is likely that the hacks are the work of a bad guy that, over the period of at least two years, used the sites to infiltrate select iPhone user demographics targeted by the undisclosed sites.
TAG found evidence of five unique iPhone exploit chains covering versions of iOS from iOS 10 to the current version of iOS 12. The hacks impact iPhones from the iPhone 5s up to the iPhone X.
Google researchers uncovered 14 vulnerabilities that impacted the iPhone’s web browser, kernel, and sandbox security mechanism.
Motherboard reports the exploits were used to deploy an implant designed to steal files and upload real-time GPS location data. The code also accessed users’ keychains, which securely store passwords and the databases of encrypted messaging apps like Apple’s iMessage. The exploits also grabbed copies of Contacts data and Photos.
Although the malware would be removed from an infected iPhone when it was rebooted, Beer says attackers might be able to “maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device.” And, of course, visiting the infected website would reinstall the malicious code.
Google told Apple about the issue on February 1, and Apple released a patch for the problem with iOS 12.1.4, which was released on February 7.