Security researchers employed by Google have managed to find evidence of there being multiple efforts to hack iPhones over a period of at least two years.
Such a sustained attack was said to have been carried out through websites that would implant malicious software secretly in order to gather as much contacts, images and other data as possible.
Furthermore, this analysis by Google suggested that these websites were accessed by visitors thousands of times every week, thus leading to several iPhone users to hand out their data to the creators of these websites.
When asked by BBC on the matter, Apple decided to not comment.
The attack reached the public in a detailed manner through British cybersecurity expert Ian Beer, who is also a member of Project Zero, a taskforce by Google that is tasked with discovering new flaws in the security system. Mr Beer released a series of technical posts explaining the matter on social media.
In his posts, Mr Beer wrote “There was no target discrimination.”
He then added that “Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant.”
According to Mr Beer and his team, the attackers were making use of 12 separate security flaws that allowed them to compromise devices. Most of these bugs were found to be in Safari, which is Apple’s default web browser.
This “monitoring implant” could access a huge amount of data whilst it is embedded into a person’s iPhone, with some of the data that can be accessed being contacts, images as well as GPS location data.
The implant would then send the information back to an external server every minute, constantly updating the information.
To make matters worse, this bug managed to also get data from apps that the person was using regularly, such as Instagram and WhatsApp, with Mr Beer also mentioning Gmail and Hangouts as two apps that were affected, with the latter being Apple’s group video chat app.
Worryingly, Mr Beer also added that the attackers also managed to exploit “almost every version from iOS 10 through to the latest version of iOS 12”.
Whilst Google’s team made Apple aware of the vulnerabilities that the company’s software had back on 1 February this year, prompting the release of a patch less than a week later, some users did not update their smartphones accordingly to avoid the attack.
Apple informed users that they should update the system software immediately as this update was aimed at fixing an issue whereby “an application may be able to gain elevated privileges” as well as “execute arbitrary code with kernel privileges”.
Mr Beer’s analysis did not try to figure out who may have been behind the attack, or how attractive such a device might have been on the black market. Such attacks have been sold for several millions of dollars in the past, as they provided extremely confidential information. However, they lose that value once completely once they are discovered and fixed.