Google has uncovered evidence of a sustained effort to hack large numbers of iPhones over a period of at least two years, its researchers said.
Earlier this year, Google cybersecurity experts “discovered a small collection of hacked websites” that exploited vulnerabilities in Apple’s smartphone software, Ian Beer, a researcher with Google’s Project Zero, said in a blog post published Thursday. He did not name the websites.
“Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” Beer added. “We estimate that these sites receive thousands of visitors per week.”
The implant was capable of giving hackers access to iPhone users’ contacts, photos and location, as well as data from apps like iMessage, WhatsApp, Telegram, Gmail and Google Hangouts, according to the Project Zero researchers.
The Google researchers discovered “a total of fourteen vulnerabilities,” half of them linked to the iPhone’s web browser. They informed Apple of the vulnerabilities on February 1, prompting the company to issue a software update six days later when it admitted certain applications could potentially “gain elevated privileges” and “execute arbitrary code.”
Beer described the attempted hack as a campaign to exploit “iPhones en masse.” He also said it was “a failure case for the attacker” and it was not clear from the post whether any data was actually stolen.
Neither company responded immediately to a request for comment on Friday.
The vulnerabilities covered almost every version of the iPhone operating system “from iOS 10 through to the latest version of iOS 12,” Beer added.
“This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years,” he wrote.
Beer said that also warned that there could be other potential attacks.
“For this one campaign that we’ve seen, there are almost certainly others that are yet to be seen,” he said. “All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.”