Google security crew sheds light on long-running super-stealthy iOS spyware operation

Project Zero dissects years-long surveillance campaign

Updated Google's Project Zero says more than a dozen iOS flaws that Apple patched back in February had been under attack for years.

Zero team bug hunter Ian Beer explained how the collection of fourteen vulnerabilities in various components of the OS, ranging from the browser to the kernel, were chained together to covertly launch spyware on the machines of anyone who visited one of a group of "watering hole" sites.

Those exploits, designed to compromise new versions and models of the iPhone and iOS as they were released, from the iPhone 5s to the X, appeared in various combinations that were active on the sites for over two years prior to being discovered and patched.

"There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant," Beer noted on Thursday.

"We estimate that these sites receive thousands of visitors per week."

In total, Beer says, the 14 flaws were grouped into five separate chains. Each chain of vulnerabilities included combinations of sandbox escapes, elevation of privilege flaws, and kernel bugs that allowed the attacker to jump from loading a web page on the device to executing code as root.

The malware itself appears designed to monitor users, as it decrypts and siphons off messages from Telegram, WhatsApp, iMessage, and Hangouts, as well as harvesting authentication tokens and collecting user contacts, photos, email, and GPS data.

While the malware is wiped when the device reboots, Beer says the stolen authentication tokens and detailed device information the software nasty collects would allow attackers to effectively track the targets without the code running.

"To be targeted might mean simply being born in a certain geographic region or being part of a certain ethnic group," the Google security guru said.

"All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them."


Breaking news: Apple un-breaks break on jailbreak break


What is catching the attention of the security community is the longevity of the operation. At a time when zero-day exploits are highly sought-after and valuable, the attackers managed to quietly continue to collect and exploit bugs quietly for years.

As Beer notes, however, if the end result was the ability to track and stop a specific group, the operation would have been worth the cost.

"I shan't get into a discussion of whether these exploits cost $1 million, $2 million, or $20 million," he said.

"I will instead suggest that all of those price tags seem low for the capability to target and monitor the private activities of entire populations in real time."

Anyone worried about infection will want to make sure they are running the latest version of iOS (or anything from after February, really). ®

Updated to add

It is likely the Chinese government was behind the spyware, using it to snoop on Uyghur Muslims over a two-year period via booby-trapped websites frequented by the surveillance targets.

Android devices and Windows PCs were also targeted, it is claimed.

Similar topics

Other stories you might like

  • Cisco deprecates Microsoft management integrations for UCS servers

    Working on Azure integration – but not there yet

    Cisco has deprecated support for some third-party management integrations for its UCS servers, and emerged unable to play nice with Microsoft's most recent offerings.

    Late last week the server contender slipped out an end-of-life notice [PDF] for integrations with Microsoft System Center's Configuration Manager, Operations Manager, and Virtual Machine Manager. Support for plugins to VMware vCenter Orchestrator and vRealize Orchestrator have also been taken out behind an empty rack with a shotgun.

    The Register inquired about the deprecations, and has good news and bad news.

    Continue reading
  • Protonmail celebrates Swiss court victory exempting it from telco data retention laws

    Doesn't stop local courts' surveillance orders, though

    Encrypted email provider Protonmail has hailed a recent Swiss legal ruling as a "victory for privacy," after winning a lawsuit that sees it exempted from data retention laws in the mountainous realm.

    Referring to a previous ruling that exempted instant messaging services from data capture and storage laws, the Protonmail team said this week: "Together, these two rulings are a victory for privacy in Switzerland as many Swiss companies are now exempted from handing over certain user information in response to Swiss legal orders."

    Switzerland's Federal Administrative Court ruled on October 22 that email providers in Switzerland are not considered telecommunications providers under Swiss law, thereby removing them from the scope of data retention requirements imposed on telcos.

    Continue reading
  • Japan picks AWS and Google for first gov cloud push

    Local players passed over for Digital Agency’s first project

    Japan's Digital Agency has picked Amazon Web Services and Google Cloud for its first big reform push.

    The Agency started operations in September 2021, years after efforts like the UK's Government Digital Service (GDS) or Australia's Digital Transformation Agency (DTA). The body was a signature reform initiated by Prime Minister Yoshihide Suga, who spent his year-long stint in the top job trying to curb Japan's reliance on paper documents, manual processes, and faxes. Japan's many government agencies also operated their websites independently of each other, most with their own design and interface.

    The new Agency therefore has a remit to "cut across all ministries" and "provide services that are driven not toward ministries, agency, laws, or systems, but toward users and to improve user-experience".

    Continue reading

Biting the hand that feeds IT © 1998–2021