Google helped Apple close a serious iPhone vulnerability

Google helped Apple close a serious iPhone vulnerability
Our smartphones are a treasure trove of information that companies often try to get their hands on. Some, we let do that in exchange for the services they provide, but others try to do it on the sly by concealing exactly what they’re doing. And then there are hackers that just want to get your data without you even realizing it.

There’s a constant game of cat and mouse between software developers and hackers but even the largest corporations can miss a creative way in which the ill-intended are able to siphon data away from their customers. Such was the case with a vulnerability in Apple’s iOS that slipped under the radars for years until it was discovered by Google’s Project Zero.

Google’s task force hunts down exploits


Project Zero is named after the so-called zero-day vulnerabilities. Zero-day refers to the day on which the developer of the vulnerable software is made aware of the issue. Project Zero’s scope of work spans further than Google’s own products and the team investigates software from other popular developers as well. This is why the security specialists were able to detect the vulnerability within Apple’s iOS. If you’re interested in the technicalities of it, check Project Zero’s blog post, where everything is explained in excruciating details.

But if you want just the gist of it, here’s what was going down. Hackers planted their malicious code into various websites (without the websites knowing, of course). When an iPhone (or iPad) user visited one of the infected sites, the malware attacked the device. If the attack was successful, a piece of software was installed on the smartphone that then started sending data over to its designated server.

That data could include contacts, images, GPS location information and even data from third-party apps like Instagram, Gmail and WhatsApp. The scooped up data was transmitted once every 60 seconds, Ian Beer, a member of Project Zero, reported. The hackers used a diversified attack approach as the security team found 12 different flaws that were exploited by the malware. Most of these were within Safari, Apple’s own web browser. The team didn’t disclose the websites that had these traps set up by the hackers, but said that they received "thousands of visitors per week".

iOS versions from 10 to 12 were all affected


Sadly, by the time the vulnerability was detected, it had already been exploited for around two years, the experts say. Versions of iOS as early as iOS 10 were found to have been targeted by the malicious code. This means that hundreds of millions of devices were at risk. How many users had their information stolen is unclear. The specialists also couldn’t pinpoint the origin of the malware.

Unlike some such software “holes” that are found by the good guys first, Google’s task force has proof that this weakness has been used by cybercriminals for a long time before it was discovered. It’s not uncommon for such tools or hacks to be sold on the black market to companies seeking to accumulate user data.

Don’t worry, it’s all good now


Apple was made aware of the problem on February 1, 2019 (that was the zero-day for this exploit). The company released the patch that closed the vulnerability on February 7 and acknowledged it in the patch notes with its impact described as “An application may be able to gain elevated privileges” and credits given to Google’s Threat Analysis Group and Project Zero.

This is a prime example of the importance of security updates and how behind an issue that’s described as almost inconsequential something far more serious can be hidden. Keep your devices updated and stay away from shady websites, that’s the main take away.

FEATURED VIDEO

24 Comments

1. afrohoxha

Posts: 264; Member since: Mar 13, 2014

That's kinda ironic.

3. Back_from_beyond

Posts: 1440; Member since: Sep 04, 2015

Google, keeping your iPhone safe, because Apple apparently needs the help.

18. Plutonium239

Posts: 1232; Member since: Mar 17, 2015

Apple has never been good at software security.

5. shiv179

Posts: 176; Member since: Aug 08, 2012

HAHAHA!

23. Tizo101

Posts: 572; Member since: Jun 05, 2015

Hehehe!

6. Dbosss unregistered

I wish iOS and Google has to work together against the vulnerabilities caused by hackers at least be transparent to each other as most of the apps r developed for both platforms. For Hackers, it doesn't matter if its iOS or android or anything, if they want to hack, they can hack into anything

8. Gryffin

Posts: 65; Member since: Dec 19, 2018

"What happens on your iphone stays on...."

14. lyndon420

Posts: 6836; Member since: Jul 11, 2012

Yeah it's time they stopped using such a misleading slogan.

11. clarity

Posts: 56; Member since: Jun 19, 2017

It's not only a vulnerability, but 5 different exploit chains. The initial flaw comes from WebKit and can be exploited through Safari because Safari uses it. Chrome also does, all browsers on iOS do. All other bugs are Kernel flaws that should've been detected with simple unitary testing... All operative systems have flaws, even Android, and believe me, they're even worse. Also, new iPhones are immune to this because of arm v8.3 and since there's no persistence, a reboot would remove the permissions from the malware, until the website was visited again, unlike in Android. I feel like this should be mentioned on the article.

15. Zappo

Posts: 12; Member since: Oct 04, 2016

Yes! This is bigger than the article makes it sound like.

13. Pigaro

Posts: 87; Member since: May 15, 2016

That's a bit weird

16. apple-rulz

Posts: 2198; Member since: Dec 27, 2016

Google makes the OS for Samsung devices.

19. Rampage_Taco

Posts: 1085; Member since: Jan 17, 2017

Google only makes part of Samsung's OS. The Android Kernel. Samsung then applies their own skin with features not found in the native OS. You know that. But the article isn't about that, it's about how nice Google is that they willingly helped Apple with an exploit they couldn't find themselves

20. apple-rulz

Posts: 2198; Member since: Dec 27, 2016

You not only know nothing, but you suck at deflecting. Bottom line is this, go power up the latest Samsung flagship and up comes, what for it........powered by ANDROID. Who makes android? Oh yeah, Google. All Samsung does is apply some cosmetic tweaks. Google supplies Samsung with what they can’t make themselves, an OS!

21. koioz

Posts: 164; Member since: Nov 29, 2018

As a developer, I can can sense your lack of idea about how open source software works. Android Open Source Project is not made by Google alone, it is the collaboration of ideas from different OEM's . This collaboration is called Open Handset Alliance.https://en.m.wikipedia.org/wiki/Open_Handset_Alliance I am glad that I healed your ignorance. You're welcome

35. mootu

Posts: 1530; Member since: Mar 16, 2017

Google doesn't make Android, they don't even own Android, it's open source, Google only owns the brand name. Google makes it's suite of apps and srvices which sit on top of Android and is the caretaker of the original base code.

37. jamesgam7

Posts: 16; Member since: Mar 20, 2015

Damn, got smoked there bud. Also Samsung mainstreamed a lot of features that took google's own version of android to appear even if touch wiz was so sh*tty. The multitasking apps etc.

28. OneLove123

Posts: 1197; Member since: Aug 28, 2018

What? No way!! iOS is the most secure they say.

* Some comments have been hidden, because they don't meet the discussions rules.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.