Kaspersky, a cybersecurity provider, released a report on Thursday detailing a fresh spyware attack on iOS devices. They observed unusual behavior on multiple iPhones and performed offline backups for investigation using the Mobile Verification Toolkit for iOS. The resulting file from MVT indicated signs of compromise on the iPhones.
Kaspersky reports that iPhones can be infected with the spyware without any user intervention. Initially, an invisible iMessage containing a malicious attachment is received by the iPhone user. This attachment includes an exploit that triggers a vulnerability, resulting in code execution, regardless of the user’s interaction with the message.
Subsequently, the code initiates the retrieval of supplementary stages from a command-and-control (C&C) server, facilitating the installation of additional iOS exploits to escalate privileges. Following the successful exploitation of the iPhone, a conclusive payload is obtained, featuring a fully operational advanced persistent threat (APT) platform. The original message, along with its attachment, is then eradicated, leaving the users oblivious to the series of events unfolding discreetly in the background.
CEO Eugene Kaspersky stated on his blog that due to the unique nature of blocking iOS updates on compromised devices, an effective method to remove the spyware without data loss has not been discovered yet. The only solution is to reset infected iPhones to factory settings, install the latest OS version, and rebuild the user environment from scratch. Otherwise, even if the spyware is deleted from device memory after a reboot, Triangulation can reinfect the device through vulnerabilities in outdated iOS versions.
According to Kaspersky, the earliest signs of infection date back to 2019, and the spyware continues to infect iPhones presently. Fortunately, the attack has only been detected on iPhones running iOS 15.7 or older. iOS 15.7 was released in September 2022, and Apple’s developer portal indicates that over 80% of iPhones are already running at least iOS 16.
Eugene Kaspersky maintains that his company “was not the primary objective of this cyberattack.” The reasons behind the significant impact on Kaspersky devices, the true extent of the spyware attack, and the potential risk to the average iPhone user remain uncertain. However, this incident underscores the importance of regularly updating your iPhone’s operating system as an additional precautionary measure.
