How new spyware bypasses iPhone security.
The iPhone has long been considered one of the most secure smartphones on the market, but a new wave of attacks shows that those days are over. Experts have discovered that stealth hacking tools, previously primarily used by intelligence agencies and law enforcement agencies, have now found their way into the hands of cybercriminals. This is bad news for iPhone owners: malware can stealthily extract personal messages, photos, notes, and calendar data.
Over the past month, several teams, including Google, iVerify, and Lookout, have uncovered two campaigns exploiting iPhone vulnerabilities. Earlier this month, Google reported the discovery of a sophisticated iPhone hacking toolkit called Coruna . Coruna was initially developed for an unnamed government client but later leaked to a Chinese cybercriminal group. It was later revealed that the spyware for the US government was developed by defense contractor L3Harris.
The attackers distributed Coruna through fake Chinese-language websites related to cryptocurrency and finance. Simply visiting an infected website from a vulnerable iPhone was enough to compromise the device, without even tapping or downloading anything.
On the same server, specialists discovered another iPhone hacking kit, dubbed DarkSword . According to Google, the tool infected smartphones immediately after visiting specific websites, including Ukrainian news and government resources. This approach is called a "site-based attack," where attackers lie in wait for the victim on a trusted page.
Once infected, the malware collects almost all of the smartphone's content: iMessage, WhatsApp, and Telegram messages, location data, contact list, call history, Wi-Fi settings, browser history, and cookies, according to iVerify.
Although DarkSword was used against visitors to Ukrainian websites, the problem turned out to be broader. Lookout reported that the developers left the main JavaScript code on the server in plaintext. Due to this oversight, even the most unskilled cybercriminals could copy the tool and repurpose it for other purposes.
Apple stated that it had already patched the vulnerabilities exploited by the attacks in newer versions of iOS in recent years. Last week, the company also released an unscheduled update for older devices that don't support the latest versions of the system. Furthermore, Safari now blocks malicious URLs identified during Google's investigation.
Previously, such tools, based on rare and highly valuable iPhone vulnerabilities, were available primarily to wealthy government clients. These tools were used to spy on activists, journalists, and foreign politicians. Now, the barrier to entry has lowered: cybercriminal groups are also gaining access to such developments, and the pool of potential victims is rapidly expanding.
iVerify co-founder Rocky Cole stated that the spyware market has grown so much that mobile hacking tools have become much more accessible. He added that every iPhone owner now has to think about this threat.
These new findings highlight how the iPhone's former image as a nearly impenetrable device is changing. Apple continues to tout its multi-layered defenses and the work of its security teams around the world, but recent findings show that even this ecosystem no longer appears completely secure.
Of particular interest was Lookout's theory that DarkSword's creators may have used a larger language model when developing parts of the hacking kit. Experts noted the names of some files. One of the files responsible for receiving stolen data was literally called "DarkSword file receiver." Lookout believes that someone with serious offensive security training would hardly have chosen such a straightforward name.
Complete protection against such attacks is not yet available. iVerify believes that Lockdown Mode would only partially block DarkSword's infection chain, although it is fully protected against Coruna: the program stops functioning if Lockdown Mode is enabled. Experts recommend installing iOS updates as quickly as possible, enabling Lockdown Mode, and using third-party mobile security tools. The problem is that even with such caution, the average user may not notice the infection.
The iPhone has long been considered one of the most secure smartphones on the market, but a new wave of attacks shows that those days are over. Experts have discovered that stealth hacking tools, previously primarily used by intelligence agencies and law enforcement agencies, have now found their way into the hands of cybercriminals. This is bad news for iPhone owners: malware can stealthily extract personal messages, photos, notes, and calendar data.
Over the past month, several teams, including Google, iVerify, and Lookout, have uncovered two campaigns exploiting iPhone vulnerabilities. Earlier this month, Google reported the discovery of a sophisticated iPhone hacking toolkit called Coruna . Coruna was initially developed for an unnamed government client but later leaked to a Chinese cybercriminal group. It was later revealed that the spyware for the US government was developed by defense contractor L3Harris.
The attackers distributed Coruna through fake Chinese-language websites related to cryptocurrency and finance. Simply visiting an infected website from a vulnerable iPhone was enough to compromise the device, without even tapping or downloading anything.
On the same server, specialists discovered another iPhone hacking kit, dubbed DarkSword . According to Google, the tool infected smartphones immediately after visiting specific websites, including Ukrainian news and government resources. This approach is called a "site-based attack," where attackers lie in wait for the victim on a trusted page.
Once infected, the malware collects almost all of the smartphone's content: iMessage, WhatsApp, and Telegram messages, location data, contact list, call history, Wi-Fi settings, browser history, and cookies, according to iVerify.
Although DarkSword was used against visitors to Ukrainian websites, the problem turned out to be broader. Lookout reported that the developers left the main JavaScript code on the server in plaintext. Due to this oversight, even the most unskilled cybercriminals could copy the tool and repurpose it for other purposes.
Apple stated that it had already patched the vulnerabilities exploited by the attacks in newer versions of iOS in recent years. Last week, the company also released an unscheduled update for older devices that don't support the latest versions of the system. Furthermore, Safari now blocks malicious URLs identified during Google's investigation.
Previously, such tools, based on rare and highly valuable iPhone vulnerabilities, were available primarily to wealthy government clients. These tools were used to spy on activists, journalists, and foreign politicians. Now, the barrier to entry has lowered: cybercriminal groups are also gaining access to such developments, and the pool of potential victims is rapidly expanding.
iVerify co-founder Rocky Cole stated that the spyware market has grown so much that mobile hacking tools have become much more accessible. He added that every iPhone owner now has to think about this threat.
These new findings highlight how the iPhone's former image as a nearly impenetrable device is changing. Apple continues to tout its multi-layered defenses and the work of its security teams around the world, but recent findings show that even this ecosystem no longer appears completely secure.
Of particular interest was Lookout's theory that DarkSword's creators may have used a larger language model when developing parts of the hacking kit. Experts noted the names of some files. One of the files responsible for receiving stolen data was literally called "DarkSword file receiver." Lookout believes that someone with serious offensive security training would hardly have chosen such a straightforward name.
Complete protection against such attacks is not yet available. iVerify believes that Lockdown Mode would only partially block DarkSword's infection chain, although it is fully protected against Coruna: the program stops functioning if Lockdown Mode is enabled. Experts recommend installing iOS updates as quickly as possible, enabling Lockdown Mode, and using third-party mobile security tools. The problem is that even with such caution, the average user may not notice the infection.
