A malicious website can infect my iPhone. Fact or fiction?

[harlan4096]

The idea that iPhones are totally immune to threats has been debunked time after time. In fact, though the Apple smartphones may present a smaller target than Android devices, some say you can pick up all sorts of malware just by opening a dangerous website, without knowingly downloading and installing anything from that site. In this post, we find out whether that is true.

Truth: Malicious websites have been cracking iPhone security mechanisms for more than two years now

Researchers from Google’s Project Zero have discovered several hacked websites that have been attacking iPhones for at least two years now. To achieve that, attackers exploited 14 software vulnerabilities, seven of which are in Safari, the browser the vast majority of iPhone owners use.

Two other vulnerabilities have allowed malware to escape the sandbox that iOS uses to prevent one app from accessing (not to mention changing) other apps’ data. And the last five affect the iOS’s kernel, which is the central component of the operating system. Breaking the kernel gives the attacker root privileges, which not even the owner of the iPhone possesses.

The malicious websites in question were capable of attacking almost all current versions of Apple’s mobile operating system, from iOS 10 to iOS 12. The attackers changed their strategies in response to updates, refocusing their efforts entirely on new vulnerabilities.

What kind of malware was installed on infected iPhones

The infected websites managed to install spyware on the devices of victims, where it obtained unlimited device access privileges and worked in the background so that users wouldn’t notice a thing. It would then extract and send data from the device to a command-and-control server every minute, literally. The spyware was interested primarily in the following:

* Passwords and authentication tokens stored in the iCloud Keychain. Attackers were able to use these credentials to gain persistent access to victims’ accounts and steal data from them even after the spyware was deleted from the device;

* Messages in the iMessage, Hangouts, Telegram, Skype, Voxer, Viber, and WhatsApp messengers. The malware stole information from the app databases, where all messages are stored in unencrypted form;

* Messages in the Gmail, Yahoo, Outlook, QQmail, and MailMaster mail apps. The spyware was also able to obtain them from the corresponding app databases;
Call history and SMS;

* Real-time information about the device’s location if GPS was enabled;

* Address book;

* Photos;

* Notes;

* Voice memos.

In addition, if the command-and-control server requested it, the malware sent its owners a list of apps on the device and could follow up with data from any of them. Worse, it transmitted all of that information in plain text format. In other words, if an infected iPhone connected to a public Wi-Fi network, then anyone — not just the spyware’s operators — could see the passwords, messages, and other information about the victim that the malware sent.

It is noteworthy that the developers of the spyware were indifferent about whether the malware was able to gain a firm foothold in the system; it would disappear from the smartphone on reboot anyway. But given how much information the malware managed to steal at once, its disappearance is small consolation.

Continue Reading