Google helped Apple close a serious iPhone vulnerability

Our smartphones are a treasure trove of information that companies often try to get their hands on. Some, we let do that in exchange for the services they provide, but others try to do it on the sly by concealing exactly what they’re doing. And then there are hackers that just want to get your data without you even realizing it.

There’s a constant game of cat and mouse between software developers and hackers but even the largest corporations can miss a creative way in which the ill-intended are able to siphon data away from their customers. Such was the case with a vulnerability in Apple’s iOS that slipped under the radars for years until it was discovered by Google’s Project Zero.

Google’s task force hunts down exploits

Project Zero is named after the so-called zero-day vulnerabilities. Zero-day refers to the day on which the developer of the vulnerable software is made aware of the issue. Project Zero’s scope of work spans further than Google’s own products and the team investigates software from other popular developers as well. This is why the security specialists were able to detect the vulnerability within Apple’s iOS. If you’re interested in the technicalities of it, check Project Zero’s blog post, where everything is explained in excruciating details.

But if you want just the gist of it, here’s what was going down. Hackers planted their malicious code into various websites (without the websites knowing, of course). When an iPhone (or iPad) user visited one of the infected sites, the malware attacked the device. If the attack was successful, a piece of software was installed on the smartphone that then started sending data over to its designated server.

That data could include contacts, images, GPS location information and even data from third-party apps like Instagram, Gmail and WhatsApp. The scooped up data was transmitted once every 60 seconds, Ian Beer, a member of Project Zero, reported. The hackers used a diversified attack approach as the security team found 12 different flaws that were exploited by the malware. Most of these were within Safari, Apple’s own web browser. The team didn’t disclose the websites that had these traps set up by the hackers, but said that they received "thousands of visitors per week".

iOS versions from 10 to 12 were all affected

Sadly, by the time the vulnerability was detected, it had already been exploited for around two years, the experts say. Versions of iOS as early as iOS 10 were found to have been targeted by the malicious code. This means that hundreds of millions of devices were at risk. How many users had their information stolen is unclear. The specialists also couldn’t pinpoint the origin of the malware.

Unlike some such software “holes” that are found by the good guys first, Google’s task force has proof that this weakness has been used by cybercriminals for a long time before it was discovered. It’s not uncommon for such tools or hacks to be sold on the black market to companies seeking to accumulate user data.

Don’t worry, it’s all good now

Apple was made aware of the problem on February 1, 2019 (that was the zero-day for this exploit). The company released the patch that closed the vulnerability on February 7 and acknowledged it in the patch notes with its impact described as “An application may be able to gain elevated privileges” and credits given to Google’s Threat Analysis Group and Project Zero.

This is a prime example of the importance of security updates and how behind an issue that’s described as almost inconsequential something far more serious can be hidden. Keep your devices updated and stay away from shady websites, that’s the main take away.