Millions of iPhones are vulnerable to iMessage attack facilitated by black box-like iOS

May 2024 · 3 minute read
Kaspersky has discovered new spyware that attackers can install stealthily on iPhones not running the latest version of iOS.

The malware was discovered when the company suspected that something was off about the activity originating from several iPhones owned by its employees. The iPhone cannot be inspected from the inside, so Kaspersky created offline backups of devices they thought were infected and found pieces of evidence of compromise.

This seems to be a targeted campaign against iPhone owners. The cybersecurity firm is calling it "Operation Triangulation."

How does it work?

Cybercriminals send an invisible iMessage to iPhone users with a malicious attachment. It doesn't need the iPhone user to do anything and is enough on its own to take advantage of vulnerabilities in iOS to execute a code and install spyware. The phone then receives more instructions from the command and control center, including those that give the malware more privileges, enabling it to wreak more havoc.

The code has unrestricted access to the iPhone and runs a series of commands to collect private user information such as microphone recordings, pictures from instant messengers, and geolocation.

The original message is deleted and so is the exploit in the attachment, so most victims will likely never know that their phone was infected.

No easy way to remove spyware 

One thing that can point to the presence of the spyware is inability to update iOS. Since iOS updates are blocked, it's impossible at the moment to remove the spyware without losing user data. The only way to get rid of it is by resetting the affected iPhone to the factory settings and downloading the latest version of iOS, which might not be possible as some older iPhones have been cut off from OS updates. If only the spyware is deleted, the devices will be re-infected.

The campaign has been active since 2019 and is still ongoing. It seems that only the iPhones running iOS 15.7 or older versions of iOS are vulnerable. 

According to Apple, 80.1 percent of iPhone users are already on iOS 16, so most iPhone owners have nothing to worry about. But given that there are an estimated 1.36 billion active iPhones in the world, 258 million iPhone users can still be targeted.Kaspersky believes that iPhones are an easy target for attacks like this one because iOS is like a black box where spyware can easily hide for years. Apple has a monopoly on research tools, so detecting these threats is not easy. 

In other words, as I’ve often said, users are given the illusion of security associated with the complete opacity of the system. What actually happens in iOS is unknown to cybersecurity experts, and the absence of news about attacks in no way indicates their being impossible – as we’ve just seen." - Eugene Kaspersky, CEO Kaspersky 

ncG1vNJzZmivp6x7sbTOp5yaqpWjrm%2BvzqZmp52nqHyOtculoKimo2K8p3nIiZ%2BoppWoeqK%2BxGatrqSemr%2BirsueZK2nXZ6apr%2FSmp6eZZGpwaKvymadmpuZoba1rdOem2aaqWKvra3CpGSbp6hiuaq3xGagiIuPnrFygJZxcHA%3D