Researchers from Google have uncovered what appears to be a concentrated malware campaign targeting iPhones for at least two years. Thankfully, this may be over now, although they warn it’s possible there are others that are yet to be seen.
Project Zero, the search giant’s security team tasked with finding zero-day vulnerabilities in software, said they discovered a small collection of malicious websites that could be used to hack the devices, using previously undisclosed five different “exploit chains” — wherein a string of flaws are linked together to mount an attack.
The chained exploits leveraged 14 different vulnerabilities that covered every version from iOS 10 all the way through iOS 12. Apple issued a patch as part of its iOS 12.1.4 update back in February after the team privately disclosed the flaws, and gave the iPhone maker just a week to fix them.
Project Zero normally adheres to a strict 90-day disclosure period, but the reduced deadline is indicative of the seriousness of the vulnerabilities involved.
“There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week,” Project Zero researcher Ian Beer said.
The exploits — called watering hole attacks — allow a bad actor to compromise a specific group of end users by infecting websites that they are known to visit, with an intention to gain access to the victim’s device and load it with malware or malvertisements.
The 14 vulnerabilities span across Safari and the kernel (aka the core operating system), aside from two separate instances of sandbox escapes that make it possible to execute arbitrary code outside of an application’s confines.
In short, the five attack chains granted elevated “root” access to an attacker, giving the party full permissions to install malware and access files that are otherwise off-limits — including uploading photos, messages, contacts and live location data every 60 seconds to a command-and-control server.
More troublingly, the malware implant also uploaded the devices’ keychain — which is used to securely store data such as Wi-Fi passwords, login credentials, and certificates — and the data containers associated with a hard-coded list of third party apps like WhatsApp, Telegram, Skype, Facebook, Viber, Gmail, and Outlook.
This is particularly alarming as it defeats the very idea of end-to-end encryption (E2EE) on apps like WhatsApp. E2EE secures data from man-in-the-middle attackswhen it’s in transit, but serves no purpose when the ‘end’ itself is compromised and an attacker can get hold of unencrypted, plain-text of the messages sent and received.
The one silver lining is that the implant does not have persistence on the device, meaning “if the phone is rebooted then the implant will not run until the device is re-exploited when the user visits a compromised site again,” Beer noted.
But given the broad scope of data that can be hijacked, which is then uploaded — unencrypted — to the attacker’s server, the incident underscores the consequences of such highly targeted malware campaigns.
“All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them,” Beer said.