Vulnerabilities in iOS were used to spy on iPhones for years

Google researchers have discovered websites that have been infecting iPhones with malware for years through iOS vulnerabilities. This gave attackers access to, among other things, location data, passwords, Google accounts and WhatsApp conversations.

Earlier this year, Google’s Threat Analysis Group discovered a number of hacked websites that attacked iPhone visitors since September 2016. The attacks were not targeted, all website visitors with an iOS device were targeted. Google estimates that the websites in question had thousands of visitors per week. Google does not disclose which sites or what types of sites were involved.

The Google TAG researchers found five unique iPhone exploit chains that penetrated virtually all versions from iOS 10 up to iOS 12. The attackers used various vulnerabilities for this, including zero days whose existence was not yet known. According to Google, the various exploit chains indicate that there is a group that has attempted to eavesdrop on iPhones over a period of at least two years.

researchers found five exploit chains, for different iOS versions

Victims were infected just by visiting the websites. The malware was loaded in the background, without user interaction being required. After a successful infection, the attackers gained root access to all databases of apps, which makes it possible, for example, to read conversations in WhatsApp, iMessage and Telegram.

With direct access to the storage of devices, e-mails, contact lists and photos can also be viewed. Location data could also be tracked in real time and it was possible to retrieve stored passwords. This makes passwords of Wi-Fi networks transparent, for example, and Google Single-Sign-On services could also be intercepted by accessing the keychain. This allowed attackers to gain access to Google accounts.

The malware was placed in a temporary folder and disappeared after a reboot of the device. As long as an infected iPhone was not rebooted, it was accessible to the attackers. It was not visible to victims that malicious parties had access to their device.

Google researchers have tested the malware, or the implant, on an iPhone 8 with iOS 12 and set up its own command server, to see what exactly happens when a device is infected. The malware contacts the server every minute and then forwards the GPS data. The malware contains a list of third-party apps whose content is forwarded to the server. That list includes email apps such as Yahoo, Outlook, Gmail, Mailmaster, and QQ Mail. WhatsApp, Skype, Facebook, Telegraph and Viber are also on that list. Attackers can also request a list of other apps that are installed on the device and data can also be requested from them on request.

The attackers used WebKit vulnerabilities to penetrate the iPhones via Safari. According to Google, the same vulnerabilities would also work in the iOS version of Chrome, but the attackers only targeted Safari users via the websites. Once the malware was injected, combinations of other iOS vulnerabilities were used to gain more privileges.

Fourteen different vulnerabilities were used in the five exploit chains. It involved seven vulnerabilities in the iPhone browser, five vulnerabilities in the kernel and two sandbox escapes. According to the Google researchers, at least one of the vulnerabilities was unknown at the time of discovery. Google notified Apple of this on February 1, and gave a one-week deadline for patching it. That resulted in the arrival of iOS 12.1.4 on February 7 this year.

According to Google, it is not clear whether the other exploits were known to the attackers themselves, or whether they started using them after they were reported. There is often a period between the publication of a vulnerability and the release of a patch. During that period, devices are vulnerable. The same applies to devices that have not been updated. The attack described by Google has been able to take place for years. The leaks were only closed in February this year. However, the search giant notes that it is possible that more such attacks exist in the wild, exploiting vulnerabilities that are not yet known.

According to the Google researchers, the underlying cause of the vulnerabilities in the software is nothing new. In many cases, it would concern vulnerabilities in code that never worked and was not or little tested before it ended up in an iOS version.

It is not clear who is behind the attacks and what the target of the attackers was. The Google researchers note that the methods used make it possible to spy on large groups of users ‘in certain communities’.