Ongoing Zero-Click iPhone Spyware Attack Uncovered In iMessage
Cybersecurity and antivirus provider Kaspersky shared a report on Thursday regarding a new spyware attack against iOS devices. After detecting suspicious activity on multiple iPhones, the security experts at Kaspersky created offline backups of each device in order to inspect them all using the Mobile Verification Toolkit for iOS. The file produced by the MVT featured a number of indicators suggesting that the iPhones had indeed been compromised.
Kaspersky has dubbed this spyware campaign "Operation Triangulation."
According to Kaspersky, the spyware can infect iPhones without any action from the user. First, the iPhone user receives an invisible iMessage with a malicious attachment which contains the exploit. That message then triggers a vulnerability that leads to code execution, regardless of whether or not the user interacts with the message.
At this point, the code begins downloading additional stages from a command-and-control (C&C) server, which installs even more iOS exploits for privilege escalation. Once the iPhone has been exploited, a final payload is downloaded with a fully-functional advanced persistent threat (APT) platform. The initial message is then deleted along with the attachment, and the users are none the wiser as all of these steps have occurred in the background.
"Due to the peculiarities of blocking iOS updates on infected devices, we have not yet found an effective way to remove spyware without losing user data," CEO Eugene Kaspersky explains on his blog. "This can only be done by resetting infected iPhones to factory settings, installing the latest version of the operating system and the entire user environment from scratch. Otherwise, even if the spyware is deleted from the device memory following a reboot, Triangulation is still able to re-infect through vulnerabilities in an outdated version of iOS."
Kaspersky says the oldest traces of infection were from 2019, but the spyware is still infecting iPhones to this day. The good news is that the attack has only been detected so far on iPhones running iOS 15.7 or older. iOS 15.7 rolled out in September 2022, and Apple's developer portal shows that over 80% of all iPhones are running at least iOS 16.
For what it's worth, Eugene Kaspersky claims that his company "was not the main target of this cyberattack." It's unclear why so many Kaspersky devices were impacted, how widespread the spyware attack really is, or whether or not the average iPhone user is at risk. In the meantime, it's yet another reason to keep your iPhone's OS up to date.
