Researchers say cyberspies exploited security vulnerabilities to plant spyware on Apple iPhones when users merely visited a small group of malware-infected websites.
Sensitive data accessed included text messages, photos and real-time location. Security experts are calling the just-announced vulnerability, which Apple fixed in February, the worst yet affecting iPhones.
Google security researchers say thousands of iPhone users per week were exposed over more than two years before Apple issued a patch. They do not say who was behind the cyberespionage but experts say it has the hallmarks of a nation-state effort.
Google researcher Ian Beer says in a blog posted late Thursday that the discovery should dispel any notion that it costs a million dollars to successfully hack an iPhone.
“There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” he wrote.
“We estimate that these sites receive thousands of visitors per week.”
Apple did not immediately respond to a request for comment.
Google’s Threat Analysis Group “was able to collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12. This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years,” Beer wrote.
He makes recommendations on taking remedial steps in the blog post.