Websites have been quietly hacking iPhones for years and there’s no telling who was infected — or who was behind it

Websites delivered iOS malware to thousands of visitors in the biggest iPhone hack ever. There’s no telling who was infected — or who was behind it, but if you have updated your iPhone you are protected.

Patrick Howell O’Neill for MIT Technology Review:

The largest ever known attack against iPhone users lasted at least two years and hit potentially thousands of people, according to research published by Google.

The malware could ransack the entire iPhone to steal passwords, encrypted messages, location, contacts, and other extremely sensitive information… The scope, execution, and persistence of the unprecedented hacking campaign points to a potential nation-backed operation but the identity of both the hackers and their targets is still unknown.

“The data taken is the ‘juicy’ data,” says Jonathan Levin, an author of three books on the internals of Apple’s operating systems. “Take all the passwords from the keychain, location data, chats/contacts/etc, and build a shadow network of connections of all your victims. Surely by six degrees of separation you’ll find interesting targets there.”

Apple patched the bugs quickly in February 2019 so everyone who has updated their iPhone since then is protected. Rebooting the iPhone wiped the malware but the data had already been taken. Exactly who was infected remains an open question.

MacDailyNews Take: Another good reason to reboot your iPhone/iPad! It clears out all sorts of muck.

12 Comments

  1. They keep mentioning iPhone but I do far more web surfing on my Pad. I thought I did so with impunity. I often reboot my iOS devices, and completely quit apps no matter what Apple says. I wish they would say which websites were disseminating the malware. I also wish they would go into depth on how it worked. Sounds like yet another Safari hack, based on what little info there is.

    I guess iOS users are in debt to Google. Well done.

      1. Potentially 1000’s. Sounds like a very specific web site with limited appeal. There are MILLIONS of iPhones in use this very second. Glad it was patched, and I’m also glad I try and restart once a week, maybe more often now

        1. I was thinking the same thing. “Thousands” is a very specific hack with an extremely limited audience. Something to fix for sure, but nothing to get worked up about.

          1. The source article does go into intimating that indirect accumulation of data may have been made up to 6 degrees of separation from an ‘infected’ device. Though your device or your friend’s may not have been infected, it sounds as if your data could also be compromised if you fall within that range. Best to update to make sure.

    1. Well, it probably isn’t the truth. The fingers are mostly pointing at The People’s Republic of China hacking the users of Uighur-language websites. Not a danger for most of us. The same malware affected Android users, but that isn’t exactly featured in the Google press release. Neither is the fact that Apple plugged this months ago in one of the system updates that most iOS users install and most Android users don’t.

      1. Interesting. Please cite the article/source that states the same malware affected Android users. Since the ‘chink’ in iOS in this case was via Safari, it may not have affected Android devices that mainly use Chrome.

          1. Thank you. That was informative. Reading through them confirms that the same websites also targeted both Android and Windows but it is yet unknown what exploits were used for those OSes nor how harmful they are in relation to that reported for iOS. I’ll keep an eye out for further details that may be discovered.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.