iPhone users, safe in the knowledge that their phone is virtually unhackable, got a nasty surprise this week as Google disclosed a sustained malware attack, potentially infecting thousands of devices.
Google’s Project Zero Team, a group of security researchers tasked with tracking down vulnerabilities in software, confirmed that a number of hacked websites were used to attack iPhones in a large-scale watering hole attack.
A watering hole attack is a type of cyber attack where hackers will attempt to compromise a specific group of users by infecting websites that members of the group are known to visit.
The attacker will identify vulnerabilities with the chosen websites and inject malicious code into the ads or banners displayed on the site. As a result, when users visit the compromised site, they will inadvertently infect their device with malware.
The attack took place over two years and is thought to be the largest ever attack on iPhone users. Once installed, the malware could steal passwords, encrypted messages, photos, contact info, and it could even monitor live location data.
Hackers could also detect what apps the user had installed, stealing data from popular services such as WhatsApp, Instagram, Telegram, Gmail and Hangouts.
According to the Project Zero Team: “There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant.”
Google did not disclose what websites were compromised or who the intended target of the attack was, but recent reports suggest that the websites were part of a state-backed attack, designed to target the Chinese Uighur Muslim community in the country’s Xinjiang province.
Unfortunately, there’s no way of determining if your device was infected as the malware would have run quietly in the background without your knowledge. Apple patched the vulnerability in February (iOS 12.1.4), wiping the malware from existing phones and protecting subsequent users from infection.
If you are an iPhone user, you should make sure your device is running the latest version of iOS. To do this, go to Settings and tap General. Under 'Software Update' you should be running iOS 12.1.4. If you are not running the latest version, you will be given the option to update your device.
A VPN will also help hide your online activity, reducing the chance of hackers creating a detailed profile of your browsing history.
Although uncommon, watering hole attacks pose a significant threat as they are difficult to detect and typically target larger organisations through employees or third-party vendors. Hackers are continually experimenting with new methods, so it’s vital that users are educated on the latest attack methods and know how to protect themselves.
MetaCompliance specialises in creating the best Cyber Security awareness training available on the market. Our products directly address the specific challenges that arise from cyber threats and corporate governance by making it easier for users to engage in Cyber Security and compliance. Get in touch for further information on how we can help transform Cyber Security training within your organisation.