Cybercriminal groups are now using spyware tools to hack into iPhones that were previously limited to spy agencies and law enforcement agencies. A recent study has revealed such information. Now any iPhone user can be a target of such invasive malware. As a result, hackers can steal personal text, images, notes, and calendar information.
In the past month, researchers at Google, iVerify and Lookout, have identified two exploits exploiting iPhone vulnerabilities. Earlier this month, Google researchers said they identified a sophisticated iPhone hacking toolkit named ‘Coruna’. It was initially developed for an unidentified ‘government customer’, but later ended up in the hands of a Chinese cybercriminal group.
Later, tech-focused media TechCrunch reported that the spyware was developed by L3 Harris, a defense contractor for the US government. Hackers use Karuna to fake Chinese-language crypto and financial platforms. Accessing that website would infect vulnerable iPhones. No clicks or downloads were required.
On the same server, researchers on Wednesday found another iPhone hacking tool called ‘DarkSword.’ It can infect iPhone immediately after accessing certain websites. This includes Ukrainian media and government websites. This is part of the so-called ‘watering hole attack’. A watering hole attack is a type of targeted cyber attack, where attackers infect websites used by a specific group (such as employees of a company) to spread malware and compromise the security of their devices.
Researchers have linked DarkSword to a hacking group based in Russia. However, it is not clear whether the group is affiliated with a government agency, or a proxy cyber criminal group. According to iVerify, DarkSword extracts almost all types of information after entering a device. This includes iMessages, WhatsApp and Telegram messages, location information, phone contacts, call history, WiFi configuration, browser history and cookies.
Lookout researchers know that, although DarkSword was originally aimed at users of Ukrainian websites, its developers did not hide the underlying JavaScript code on the server. As a result, even low-level cybercriminals can easily copy it and use it on wider targets.
Apple spokeswoman Sarah O’Rourke said the spyware targeted vulnerabilities in the iPhone’s operating system iOS, which have already been fixed in newer iOS versions in recent years. He also said that Apple also released an emergency software update last week for older devices that cannot install the new operating system. He also said that Apple’s Safari browser is now blocking malicious URL domains identified in Google’s research.
Creating or procuring such tools—based on extremely rare and valuable iPhone vulnerabilities—was once only possible for well-heeled government customers. State agencies used these tools to monitor activists, journalists and foreign politicians. Now cybercriminals are also getting these tools. As a result, the barriers to carrying out such attacks are reduced and the range of possible targets is increased.
Rocky Cole, co-founder and chief operating officer of iVerify, told Axios, “The massive investment behind commercial spyware developers has created an entire ecosystem of mobile exploits, making these tools really, really accessible.”
Apple has long promoted the iPhone as a highly secure device, attracting users who are privacy-conscious or interested in protecting sensitive communications. But recent research suggests the devices may not be as secure as they used to be, Cole said. He said, ‘Now every iPhone user has to think about it.’
Apple spokesman O’Rourke said Apple devices are built with ‘multi-layered security measures to protect against a wide variety of potential threats’ and that ‘Apple’s security teams around the world are working tirelessly to protect users’ devices and data.’
Justin Albrecht, director of global mobile threat intelligence at Lookout, told Axios that the people behind DarkSword likely used a large language model to build parts of their hacking tools. This is assumed by the naming of the files.
One of the files in the data theft code was simply named ‘Darksword File Receiver.’ “Anyone who does offensive cyber security work never leaves a name,” Albrecht said. I’m not sure if this group is even very technically proficient.’
According to iVerify, if Apple’s lockdown mode was enabled, the Darksword attack would have been only partially prevented, but the Karuna attack would have failed completely. Because it doesn’t work when this mode is enabled. There is no foolproof protection against this type of watering hole attack. But Albrecht recommends keeping devices updated, turning on lockdown mode and using third-party mobile security software. “While these steps are helpful, unfortunately they do little to identify it as a user,” he said.
