Researchers at Google announced the discovery of a hacking campaign that used hacked websites to deliver malware to iPhones.
Project Zero, Google’s security research team, discovered fourteen previously unknown vulnerabilities, called zero day exploits, that were capable of compromising iPhones. Further research revealed a small collection of hacked websites capable of delivering malware to iPhone users visiting those sites.
“There was no target discrimination; simply visiting the hacked site was enough for the exploited server to attack your device, and if it was successful, installing a monitoring implant. We estimate that these sites receive thousands of visitors per week,” wrote Project Zero member Ian Beer in a blog post announcing their findings.
The data accessible on the compromised phones included the user’s location, their passwords, chat histories, contact lists, and full access to their Gmail accounts.
"Given the breadth of information stolen, the attackers may nevertheless be able to maintain persistent access to various accounts and services… even after they lose access to the device,” said Beer.
The hacking campaign was active for at least two years before it was discovered by Project Zero. The research team informed Apple of their findings, and the targeted vulnerabilities were patched in an update in February 2019.