Google Helped Apple Close A Serious iPhone Vulnerability

Our smartphones are a treasure of information that companies often try to get their hands on. Some of us allow ourselves to do it in exchange for the services they provide, but others try to do it in secret, hiding exactly what they are doing. And then there are hackers who simply want to get their data without them noticing.

There is a constant game of cat and mouse among software developers and hackers, but even the largest companies can lose a creative way in which malicious people can extract data from their customers. Such was the case with an Apple iOS vulnerability that has been falling under the radar for years until it was discovered by the Project Zero of Google.

Google’s task force hunts down exploits

Google helped Apple close a serious iPhone vulnerability

Project Zero takes its name from the so-called zero-day vulnerabilities. Zero-day refers to the day when the vulnerable software developer realizes the problem. The scope of Project Zero’s work goes beyond Google products and the team also investigates the software of other famous developers. This is why security specialists have been able to detect the vulnerability in Apple’s iOS. If you are interested in the technical aspects of it, see the Project Zero blog post, where everything is explained with unbearable details.

But if you want the essential, this is what was happening. Hackers have installed their malicious code on different websites (without the websites knowing, of course). When an iPhone (or iPad) user visited one of the infected sites, the malware attacked the device. If the attack was successful, the software was installed on the smartphone which then started sending data to the designated server.

Such data could include contacts, images, GPS location information and even data from third-party apps such as Instagram, Gmail, and WhatsApp. The data collected was transmitted every 60 seconds, said Ian Beer, a member of Project Zero. Hackers used a diversified attack approach as the security team found 12 different errors exploited by the malware. Most of these were in Safari, Apple’s Web browser. The team did not disclose the websites that created these traps by hackers but claimed to have received thousands of visitors a week.

IOS versions 10 to 12 were affected

Unfortunately, when the vulnerability was detected, it had already been exploited for about two years, experts say. It was discovered that the iOS versions from iOS 10 had been attacked by malicious code. This clearly means that hundreds of millions of devices were at risk. It is not known how many users have stolen their information. The specialists were also unable to determine the origin of the malware.

Unlike some software “holes” the former find, the Google working group has evidence that cybercriminals used this weakness for a long time before it was discovered. It is not uncommon for such tools or hacks to be sold on the black market to companies seeking to accumulate user data.

Don’t worry, now it’s okay

Apple realized the problem February 1, 2019 (that was day zero for this exploit). The company released the patch to close the vulnerability on February 7th and acknowledged it in the patch notes with its impact described as “An application may be able to gain elevated privileges” and credits granted to the Google threat analysis group and to the Project Zero.

This is an excellent example of the importance of security updates and how something much more serious can be hidden behind a problem that is described as almost irrelevant. Keep your devices up to date and stay away from suspicious websites, this is the main option.

Also Read:

Follow us on Twitter to never miss an update on all the latest news from Apple, Google, Microsoft, and the Web.