Exploiting Apple’s iOS operating system, the software that powers both the iPhone and iPad, is a complex and expensive process. “iOS exploitation requires sidestepping and bypassing Apple’s formidable defenses, in multiple layers ,” says Levin.
Apple patched the bugs quickly in February 2019 so everyone who has updated their iPhone since then is protected. Rebooting the iPhone wiped the malware but the data had already been taken. Exactly who was infected remains an open question. iPhone users themselves likely wouldn’t know because the malware runs in the background with no visual indicator and no way for an iOS user to view the processes running on the device.
In January 2019, Google’s Threat Analysis Group (TAG), the tech giant’s counterespionage specialists, first found hacked websites that were delivering malware to thousands of visitors per week. The tactic is known as a watering-hole attack: attackers lace carefully selected websites with malware and wait for expected visitors to arrive to be infected. Just visiting the site was enough to download the malware.
Google’s discovery included, over a period of years, five so-called “exploit chains” with 14 vulnerabilities including at least one active zero-day vulnerability, the term used to describe an exploitable bug undiscovered by a company like Apple. When one exploit chain was rendered useless by an Apple patch, the hacker quickly implemented the next one.
TAG passed the intelligence to Apple, who issued iOS patch 12.1.4 on February 7 with a fix, as well as to others within Google. Google’s Project Zero, the company’s security analysis team, has spent the last seven months dissecting these bugs.
“There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week,” Google’s Ian Beer wrote in google’s paper.
It’s not clear who was infected. Google’s Project Zero did not release key information including which websites were infected. It seems likely that neither Apple nor Google would have a full accounting of victims but there could be other clues, including which populations typically visit the infected website.