Hackers planted spyware on iPhone users’ devices over a two-year period. They did this by exploiting a vulnerability in the technology’s operating systems, Google said Friday.
The hackers targeted a group of infected websites that, when visited by iPhone users, attacked the devices and in some cases installed malware, according to Ian Beer of Project Zero. Project Zero is a team of Google security analysts that investigates cybercrime.
“There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week,” Beer wrote in a blog post.
Using the implant, hackers could access Apple customers’ data. This includes their passwords and personal contacts, as well as messages sent through iMessage, WhatsApp, Gmail and Google Hangouts, according to Project Zero researchers.
Almost every version of Apple’s iPhone operating system was vulnerable, he said. It is unclear how many users might have been affected.
The security bugs Beer identified aren’t new, but rather were exploited in novel ways.
“Ian shows this is the first time these types of vulnerabilities have been used out on the wide internet, where if the malicious code was present on a certain website that was accessed, the unsuspecting user would be infected, and remain blissfully ignorant of it,” said operating system internals researcher Jonathan Levin.
The scope of the hack suggests it was backed by a nation rather than an individual, Levin said. “It requires a lot of research, and there has to be an endgame motive for this,” he told CBS MoneyWatch. “It’s possible that those behind the hack targeted a specific demographic or interest groups.”
“My personal hunch, because of the level of proficiency and efficacy of the exploits, is that this is not the work of your average hacker,” he added.
Neither is there a sure-fire way for users to protect themselves against security breaches, Beer said. “All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.”
Google said it reported its findings to Apple in February, after which the tech giant released an updated operating system to fix the flaws.