Hackers Have Been Using Malicious Websites to Hack iPhones for Years

Your smartphone is your gateway to the virtual world. It's your door to your social platforms, email accounts, entertainment, and information. Unfortunately, it is also a door that can expose you to virtual security dangers, and sometimes these dangers can be practically invisible. It was recently discovered that cybercriminals have been setting up traps for iPhone users specifically and that they have been doing it for years. The attackers would create malicious websites, and if people were tricked into visiting them, that would be enough to perform iPhone hijacking. Was your iPhone hacked after visiting sites set up by cyber attackers? Unfortunately, this could have happened without your notice at all. Continue reading if you want to learn more about the attack as well as how to secure your device against hackers in the future.

How did hackers hijack iPhones using websites?

The attacks on iPhone users were discovered by Project Zero, a Google-run team that focuses on zero-day vulnerabilities that enable attackers to create exploits and perform successful attacks. According to the team, cybercriminals figured out a way to set up websites to hijack iPhones starting with the iOS 10 version without their owners' knowledge. Based on the conducted research, the attacks could be traced 2 years back, and, unfortunately, it was impossible to know how much damage could have been done. That being said, according to the recorded traffic, thousands of visitors could have visited the malicious websites every single week within those two years. The team discovered that once a malicious site was set up, one visit was enough for the visitor's device to get attacked and, potentially, infected. So, how exactly did hackers use websites to hijack iPhones? It all comes down to security vulnerabilities.

Project Zero team states that 14 different zero-day vulnerabilities (5 unique exploit chains) could have been used to attack iPhone users. 7 of these were detected within iPhone's web browser. While, in some cases, users themselves are responsible for unpatched vulnerabilities, in this case, it was Apple's responsibility completely because the vulnerabilities were not detected in time. Project Zero contacted Apple in February to warn them about the vulnerabilities, and then iOS 12.1.4 update was released within a week. Ultimately, although patches for the vulnerabilities have been created, we have to look into the security issues that thousands of iPhones users could have been exposed to already.

What did attackers do after hijacking iPhones?

Needless to say, cybercriminals do not create exploits, build websites, and hijack iPhones just for fun. Well, in some cases, attackers do strange things for strange reasons, but in this situation, they used the zero-day vulnerabilities to install a "monitoring implant," as Project Zero calls it. According to researchers, the implant ran in the background, and the owner of the infected device could not see it, which meant that they could not detect and stop it in time. Once the implant was up and running, it could steal files and gather information about the device with the help of commands that were sent from a remote C&C server every 60 seconds. It could then record emails, contacts, messages from various messaging apps (e.g., iMessage, Telegram, or WhatsApp), and photos. It could even employ GPS to track the victim. Ultimately, if you had your iPhone hacked after visiting sites set up by cybercriminals, your virtual privacy has been jeopardized, and unknown parties might have enough information to perform identity theft and even impersonate you online if that is necessary for whatever the attackers might be planning next.

The implant was not persistent, and once the device was rebooted, it could no longer track the victim or gather personal information on behalf of the remote attackers. That being said, if the victim, unbeknownst to them, visited the malicious website again, the implant ran again also. All in all, even if the implant was deactivated for good, the attackers might already have all the information they need to access private accounts and wreak havoc.

Apple is NOT happy with Google

Apple fixed iPhone vulnerabilities in February, but Google's Project Zero team completed their analysis just recently. Naturally, they shared their findings now as well, and this, according to Apple, "creates the false impression of "mass exploitation" to "monitor the private activities of entire populations in real time," stoking fear among all iPhone users that their devices had been compromised." Apple also disagrees about the length of time in which the attackers were active. The company suggests that websites that were instrumental in infecting iPhone devices were active for two months, not two years. Also, "fewer than dozen" sites were set up in that time and, according to Apple, these sites were unlikely to have been visited by people outside the Uighur community.

So, did Google create a scandal out of nowhere? The timing of the message might be odd, but the bottom line is that people had their iPhones hijacked and that people had their iPhones hacked after visiting sites set up by cybercriminals. Apple might have been working on vulnerability patches by the time Google intervened, but these vulnerabilities should not have existed in the first place.

So you had your iPhone hacked after visiting sites set up by hackers. What now?

First and foremost, update your iOS to the latest version.

Once you have your device updated, you can move on to the protection of private data. It is impossible to say what kind of information hackers could have gathered from your iPhone, which is why you need to cover all bases, and we recommend starting with passwords. It is possible that all of your login credentials were recorded, and if that is the case, all of your accounts are vulnerable. Cyclonis Password Manager is compatible with iOS devices, and it is a free password management tool that will help you change passwords while making them stronger too.

Once you have your passwords covered, you need to go through the list of all installed apps and check their permissions. If you are not comfortable with certain permissions (e.g., some apps might track your physical location or gain access to contact information), you can remove the apps, or you can revoke the permissions. Our final security tip that, hopefully, will ensure that you do not have your iPhone hijacked in the future is to be more cautious about your own activity. Without a doubt, you increase your chances of facing hackers and cybercriminals if you visit unfamiliar websites, click on random links, open spam email attachments, and download apps from unreliable sources.

September 16, 2019