Google security researchers recently discovered a critical vulnerability found within the iPhone, where a collection of malicious websites visited thousands of times per week were secretly implanting software to steal users’ data for. Worse still, the researchers says that hackers were able to take advantage of the exploit of iPhone users for at least two years.
According to cybersecurity researcher and Project Zero member, Ian Beer, the attackers don’t need to choose their targets as any visitors will be vulnerable to the attack when they visit the website. If the phone is successfully compromised, it will install a monitoring implant discreetly into the victim’s iPhone.
Additionally, researchers were able to conclude that the exploit seems to affect iPhones running from iOS 10 to the most current iOS 12. The software was said to have sent contacts, images, live GPS location and other data to the hacker’s server through 60-second intervals.
The implant was also capable of stealing data from certain apps based on their own references. Even worse, it was discovered that the malicious software is capable of intercepting encrypted data from apps such as Whatsapp and Telegram and transfer it into their servers.
If the phone is restarted then the implant is rendered inactive until the device is exploited again when the user visits the malicious site. Nonetheless, sensitive information has already been snooped out of the phone from the first attack.
It should also be noted that the exploit allows attackers to gain root access to an iPhone which allows the implanting process to take place quietly. As Apple is not aware of the exploit, it was classified as a zero-day exploit.
Ultimately, Google’s researchers notified Apple of the vulnerabilities back on 1 February. Six days later, Apple released a security patch in iOS 12.1.4 update; far less days than the typical 90 days given to software developers. On that note, we recommend iPhone users keep their device as up to date as possible to minimize security risks.