The security team at Google’s Project Zero has uncovered an iOS vulnerability that exposed iPhone users to a hack that would allow threat actors to install monitoring implants on their devices.
The hack takes advantage of a “zero-day” vulnerability on Apple’s iOS. The definition of zero-day hacks can vary a little, but in general, it is a type of vulnerability in a software that allows for outside actors to exploit said software. Project Zero was founded with the idea of discovering these zero-day hacks and learning from them to make them more difficult.
A member of Project Zero, Ian Beer, issued a blog post about the vulnerability in which he goes into further details regarding the vulnerability
“Now, after several months of careful analysis of almost every byte of every one of the exploit chains, I’m ready to share these insights into the real-world workings of a campaign exploiting iPhones en masse. Let’s also keep in mind that this was a failure case for the attacker: for this one campaign that we’ve seen, there are almost certainly others that are yet to be seen.”
-Ian Beer, Google Project Zero
The discovery is nothing short of embarrassing for Apple. The company has always prided itself on its relative resistance to malware attacks. There are very few viruses for MacOS compared to Windows, and the same could be said of iPhone malware compared to Android malware.
Even so, this malware was able to directly install itself on to an iOS device once the device visited an infected website. There was no need to download anything manually; The malicious payload would download and install itself directly. After being installed, the malware would give the outside actor access to everything on the phone. That includes sensitive information such as chat history and even passwords.
Google is the main competitor to Apple, so it’s awfully convenient that they find a problem in iOS and then publicize it. It seems that the policy at Project Zero is to publish all of these findings – no matter the source – after giving enough time to allow for the problem to be patched. It should be noted that Apple patched the vulnerability as soon as they were made aware of it. Still, you’ve got to wonder if Project Zero would be so open about publishing failures in the Android OS.