Google Says Malicious Websites Have Been Quietly Hacking iPhones for Years

[Venustus]

Content source

https://www.vice.com/en_ca/article/bjwne5/malicious-websites-hacked-iphones-for-years

In what may be one of the largest attacks against iPhone users ever, researchers at Google say they uncovered a series of hacked websites that were delivering attacks designed to hack iPhones. The websites delivered their malware indiscriminately, were visited thousands of times a week, and were operational for years, Google said.
"There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week," Ian Beer, from Google's Project Zero, wrote in a blog post published Thursday.
Some of the attacks made use of so-called zero day exploits. This is an exploit that takes advantage of a vulnerability that the impacted company, in this case Apple, is not aware of, hence they have had "zero days" to find a fix. Generally speaking, zero day attacks can be much more effective at successfully hacking phones or computers because the company does not know about the vulnerability and thus has not fixed it.
iPhone exploits are relatively expensive and the iPhone is difficult to hack. The price for a full exploit chain of a fully up to date iPhone has stretched up to at least $3 million. This includes various vulnerabilities for different parts of the iPhone operating system, including the browser, the kernel, and others to escape an application's sandbox, which is designed to keep code running only inside the part of the phone it is supposed to.

 

[Vasudev]

No wonder I see some websites open in Safari mobile with many tabs and I always tell mom to close them and she says I didn't even open Safari.

 

[Pkjfkknm]

google try make iphone look bad
package as doing public good
android way more worse

 

[Local Host]

google try make iphone look bad
package as doing public good
android way more worse

I agree, the same thing has been happening on Android for years now, Malware is an all time high on Android.

 

[jetman]

Apple always maintain that iOS does not require antivirus or orther such security software. My understanding is that this is because applications can only be installed via the official App Store. Furthermore, applications are strictly sandboxed and prevented from accessing other services.

Is my undertanding broadly correct ?

If so, how could an infected website carry out such an attack ?

 

[ChoiceVoice]

Apple always maintain that iOS does not require antivirus or orther such security software. My understanding is that this is because applications can only be installed via the official App Store. Furthermore, applications are strictly sandboxed and prevented from accessing other services.

Is my undertanding broadly correct ?

If so, how could an infected website carry out such an attack ?

i suppose it must have found a way to spoof permission. windows uses certificates that have in the past been compromised, i suspect apple would have something similar. this way it can gain access to the broader system.

 

[ChoiceVoice]

google try make iphone look bad
package as doing public good
android way more worse

agreed. google should be sued for defamation unless they release these exploits to apple. prove it. i suspect they likely did this, but it doesn't actually say they did. furthermore, apple pays for revealed security flaws. so wouldn't google just report it via that channel and make some money off apple?

and yes, the android store itself is full of malware and suspect apps.

Android Warning: Devious Malware Found Inside 34 Apps Already Installed By 100M+ Users

Another report has highlighted the frightening levels of dangerous malware hidden in apps on the Google Play Store

www.forbes.com

 

[ebocious]

This comes hot on the heels of news a couple weeks ago about 34 apps infecting 100+ million Android devices, and more news Tuesday about another 100+ million Android devices being infected from CamScanner. Yes, Google discovered a handful of websites that had an exploit for iOS. They told Apple about it, Apple gave them credit for the find, and a patch was released within seven days. This was back in February. So, why is Google taking it upon themselves to talk to the press about an Apple exploit, six months later? Gee, I can’t imagine why.

Of course, “thousands” of iPhones are a drop in the bucket compared to hundred-millions of Android devices. After Windows computers, Android is the second-largest target, even bigger than Mac computers. Not only is it possible to remotely attack an Android without even requiring the user to visit a website (e.g. Stagefright), but Google scans new app submissions with a computer and approves them within a day or two, whereas Apple has humans as well as computers looking at new app submissions, and it can take weeks before an app is approved.

In addition, all iPhones get their updates directly from Apple (which also disinfects phones that had the infection), whereas only Pixel and Nexus get their updates directly from Google. All other Android manufacturers have to wait for Google’s patch, then port it to their devices, and submit it to all the cellular carriers. On top of that, the six-year-old iPhone 5s can run iOS 12.4.1 (you may need to buy a new battery), whereas the three-year-old Samsung Galaxy S7 will not be able to run Android 9 Pie. Yah, I'm sticking with iPhone.

 

[SeriousHoax]

People are taking it the wrong way. This is what Google's Project Zero does. They look for security vulnerabilities and it doesn't matter whether it's Apple or some other companies or even Google themselves. You guys just for no reason started comparing iPhones and Android which is a completely different topic.

 

[ebocious]

People are taking it the wrong way. This is what Google's Project Zero does. They look for security vulnerabilities and it doesn't matter whether it's Apple or some other companies or even Google themselves. You guys just for no reason started comparing iPhones and Android which is a completely different topic.

I understand what Project Zero does. But why do they take it upon themselves to talk to the press about a vulnerability in a competitor's product, six months after the fact? Mind you, this vuln was discovered in February, and patched a week after it was discovered. My answer: because their employer has suffered a double-whammy of bad press over the past few weeks, taking a second hit just a few days ago.

 

[SeriousHoax]

I understand what Project Zero does. But why do they take it upon themselves to talk to the press about a vulnerability in a competitor's product, six months after the fact? Mind you, this vuln was discovered in February, and patched a week after it was discovered. My answer: because their employer had suffered a double-whammy of bad press over the past few weeks.

Publishing in February and now should have the same impact as its having now. They probably had some other reason for publishing it late. Malicious apps discovery on PlayStore is a very common occurrence so doesn't seem it's related to that.

 

[ebocious]

Publishing in February and now should have the same impact as its having now. They probably had some other reason for publishing it late. Malicious apps discovery on PlayStore is a very common occurrence so doesn't seem it's related to that.

So, it's nothing more than sheer happenstance that Google took a bad blow mid-August, and a second blow Tuesday, before their employees talked to the press yesterday about a vulnerability they discovered for iOS six months ago? Well, that's your story, and you're sticking to it. You do you.

 

[notabot]

It's a shame they didn't say which websites did that, disclosure would had been good as folks may want to check against their browsing history and see if they need to change their passwords.
Also some clarity would had been nice on the keychain upload? ie was it a locked/encrypted keychain that they uploaded or an open one

 

[Local Host]

On top of that, the six-year-old iPhone 5s can run iOS 12.4.1 (you may need to buy a new battery)...

This is where you ruined the argument, most iPhones lose performance and features when upgrading iOS.

Not to mention you can't expect Google to support third-party devices the same way, they do support their own Hardware the same way Apple does (but Google goes a step further to avoid performance and features loss, unlike Apple).

It doesn't take long to find all sort of issues iPhones have with iOS upgrades, just search "iPhone iOS Upgrade Issues".

 

[Threadripper]

This is where you ruined the argument, most iPhones lose performance and features when upgrading iOS.

Not to mention you can't expect Google to support third-party devices the same way, they do support their own Hardware the same way Apple does (but Google goes a step further to avoid performance and features loss, unlike Apple).

It doesn't take long to find all sort of issues iPhones have with iOS upgrades, just search "iPhone iOS Upgrade Issues".

iOS updates usually increase performance, obviously not in the case of the 6 year old 5S, in technology years it's ancient. Google can't even support their own phones for more than 3 years, it wouldn't be very hard for them to change the contract OEMs sign to say "support your phones with monthly security updates and Android updates for 2 years"; but they won't do that.

 

[ebocious]

This is where you ruined the argument, most iPhones lose performance and features when upgrading iOS.

Not to mention you can't expect Google to support third-party devices the same way, they do support their own Hardware the same way Apple does (but Google goes a step further to avoid performance and features loss, unlike Apple).

It doesn't take long to find all sort of issues iPhones have with iOS upgrades, just search "iPhone iOS Upgrade Issues".

You expect six-year-old hardware to run new software just as quickly as new hardware? Sorry, it doesn't work that way. Try running Windows 10 on a 10-year-old computer. You call it planned obsolescence; most people call it advancement. If technology didn't ever advance, then we wouldn't have computers.

Show me a six-year-old Android that can run 9 Pie. If you can't do that, then stop and think what you're arguing for, besides personal attachment.

P.S.: I'm not interested in yet another iPhone vs. Android flame war. If this is about to devolve into one, then you can continue without me.

 

[Local Host]

You expect six-year-old hardware to run new software just as quickly as new hardware? Sorry, it doesn't work that way. Try running Windows 10 on a 10-year-old computer. You call it planned obsolescence; most people call it advancement. If technology didn't ever advance, then we wouldn't have computers.

Show me a six-year-old Android that can run 9 Pie. If you can't do that, then stop and think what you're arguing for, besides personal attachment.

P.S.: I'm not interested in yet another iPhone vs. Android flame war. If this is about to devolve into one, then you can continue without me.

You the only one who claimed iPhones get iOS Upgrades like it was a good thing, when it most cases it causes issues due to Apple negligence when it comes to older devices.

Both Google (Android) and Microsoft (Windows Phone) always test and refuse to release updates that would cripple older devices, you also expect Google to force upgrades on third-party devices they have no control over (which would add to the negligence, as Google can't test each and every phone and configuration, not to mention as you can see from Apple itself they lazy to test their own limited devices).

As for the 10 year old computer running Windows 10, I have computers older than that running Windows 10 with no issues (especially at work, old Dells that came with XP), my older Desktop runs Windows 10 as well (and triple A games at 1080p) and is 9 year old (you honestly can't compare phones to computers).

 

[Burrito]

P.S.: I'm not interested in yet another iPhone vs. Android flame war. If this is about to devolve into one, then you can continue without me.

But it wouldn't be any fun without you.

 

[ebocious]

You the only one who claimed iPhones get iOS Upgrades like it was a good thing, when it most cases it causes issues due to Apple negligence when it comes to older devices.

Both Google (Android) and Microsoft (Windows Phone) always test and refuse to release updates that would cripple older devices, you also expect Google to force upgrades on third-party devices they have no control over (which would add to the negligence, as Google can't test each and every phone and configuration, not to mention as you can see from Apple itself they lazy to test their own limited devices).

As for the 10 year old computer running Windows 10, I have computers older than that running Windows 10 with no issues (especially at work, old Dells that came with XP), my older Desktop runs Windows 10 as well (and triple A games at 1080p) and is 9 year old (you honestly can't compare phones to computers).

That's not true. Windows Updates are always hosing the system, old or new. I never update without a disk image. And I used to use Android. They've had issues upgrading as well. Meanwhile, I've prevented issues with iOS updates by quitting all apps, and plugging the phone into a computer running iTunes. Also, I might have something to say about stability issues, and on which mobile ecosystem I've seen more of them. iOS apps are written in Objective C; Android apps are written in Java. That's not to say I don't experience app instability on iOS, but it's usually always the same ones: Facebook and PCH. But I digress. Listen to me carefully: NO brand is bug-free.

As far as comparing computers to phones, that's true; you can't. But you're missing the point. Computers go longer than phones, but they do go obsolete. You know they do, and you know phones do. So there's no sense in blaming manufacturers for "planned obsolescence." If you're going to do that, then blame ALL of them, not just Apple. Is there a six-year-old Nexus that can run 9 Pie? No? Then you're arguing for personal affinity, and I could care less about that. I'm not here to discuss religion, and I'm not here to fight. We can talk reason, or not at all.

 

[ebocious]

But it wouldn't be any fun without you.

That's the idea. I intend to discourage it.