Google security researchers say that hackers spent at least two years targeting iPhones “en masse” and placing “monitoring implants” on Apple’s smartphones.
The implants possessed the ability to steal private data such as iMessages, photos and GPS location in real-time, according to the Google researchers.
In a blog post on Thursday, Ian Beer of Google’s security research team Project Zero said that hackers exploited iPhone vulnerabilities to surreptitiously place the implant on the phones of users who visited certain hacked websites.
TURN OFF YOUR BLUETOOTH, WARN SECURITY EXPERTS
“There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” he explained “We estimate that these sites receive thousands of visitors per week.”
Beer did not identify the hacked websites in the post.
“The hacked sites were being used in indiscriminate watering hole attacks against their visitors,” he added.
The experts discovered a total of 14 iPhone vulnerabilities related to the five exploits. According to Google, seven of the vulnerabilities were related to the iPhone’s Web browser. Google says that it notified Apple of the vulnerabilities on Feb 1, 2019, and the iPhone maker patched them on Feb 7, 2019.
Google researchers identified five separate and unique “iPhone exploit chains,” which they say covered almost every version of the iOS operating system, from iOS 10 to the latest version of iOS 12.
“This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years,” Beer explained.