Project Zero is a Google security team that finds zero day vulnerabilities in products and services. It routinely finds them in Apple products, and just announced that it found a series of malicious websites taking advantage of zero days found in iOS.
Zero Day
A zero day is a type of security vulnerability that can be found in software. It means that the company that owns the software doesn’t know about it, so they’ve had zero days to fix it. These are among the most valuable vulnerabilities for hackers to sell and exploit.
Google’s Threat Analysis Group (TAG) stumbled upon the websites earlier this year. Simply visiting one with an iPhone was enough for one to get hacked. They found a total of five exploit chains based on 14 vulnerabilities. These targeted iOS 10 up to the latest version of iOS 12.
The malware that got installed was focused on stealing files and uploading live location data. It also had access to the user’s iCloud Keychain, and the databases of several end-to-end encrypted apps, including iMessage, Telegram, and WhatsApp.
The malware wasn’t persistent, meaning it would be erased if you restarted your iPhone. But that’s still enough to cause damage. The team disclosed the vulnerabilities to Apple, which resulted in the release of iOS 12.1.4 in February 2019.
As I was sure would happen some talking head on our local TV news is reporting this as if the problem wasn’t patched.