Google researchers tasked with finding zero-day vulnerabilities in the wild revealed on Thursday that a small collection of websites had been aimlessly infecting iPhone users since at least 2017. The sites received thousands of visitors per week, researchers said.
“There was no target discrimination,” Ian Beer, a Google hacker and member of the company’s Project Zero team, wrote in a blog. “Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant.”
The group of websites, a watering hole intended to attract and infect iPhone users, was first discovered by Google’s Threat Analysis Group (TAG), Beer said. Once infected, the attackers would have ostensibly gained access to a wide range of private information belonging to their victims, including their location data, passwords, and contacts, among other sensitive details.
Project Zero and TAG ultimately discovered exploits for 14 security flaws, which left vulnerable everything from the iPhone’s web browser to its kernel, the core of its operating system. At least one of the exploit chains was considered a zero-day vulnerability, meaning it was unpatched at the time of discovery.
Apple was notified in February and released a fix within seven days. Apple disclosed the update at that time, describing the flaws as “memory corruption” issues, which were addressed with “improved input validation.” Beers and Samuel Groß of Project Zero and Clement Lecigne of TAG were given credit for the find.
“Real users make risk decisions based on the public perception of the security of these devices,” Beers wrote. “The reality remains that security protections will never eliminate the risk of attack if you’re being targeted.”
“To be targeted might mean simply being born in a certain geographic region or being part of a certain ethnic group,” he said. “All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.”