In an excellent and deep blog analysis, Ian Beer of Google’s Project Zero outlines five separate iOS exploit chains that were found on a small collection of hacked websites. The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iOS 0-day. (For another watering hole attack example, please see our recent blog, “The Mobile Watering Hole: How A Sip Leads to A Trojan Compromise”).
By a victim simply visiting one of the malicious websites, attackers could quietly hack into a victim’s iOS device by exploiting a set of previously undisclosed software flaws. Per Zack Whittaker’s story in TechCrunch, researchers found five distinct exploit chains involving twelve separate security flaws, seven of which involve Safari, the built-in web browser on iOS devices.
The five separate attack chains allowed an attacker to deliver an implant and gain “root” access to the device — the highest level of access and privilege on an iOS device. In doing so, an attacker could gain access to the device’s full range of features normally off-limits to the user. That means an attacker could quietly install malicious apps to spy on the device owner without their knowledge or consent.
As MIT Technical Review reported, Apple patched the bugs quickly in February 2019 so everyone who has updated their iOS devices since then is protected. Rebooting the device wiped the malware but the data had already been taken. Exactly who was infected remains an open question. iOS users themselves likely wouldn’t know because the malware runs in the background with no visual indicator and no way for an iOS user to view the processes running on the device.
Zimperium Customers Are Protected
This is another example of a complicated and sophisticated mobile attack. Based on analysis of the Project Zero information by zLabs, Zimperium zIPS detects any attempts by the attacker to gain persistence on the device or perform any system or app tampering. In addition, using our on-device phishing detection engine, Zimperium zIPS would have been able to alert the user that they are accessing a potentially malicious website and prevent them from being infected in the first place. Furthermore, should the user be redirected to a malicious website via a rogue access point or man-in-the-middle (MITM) attack, Zimperium zIPS would have detected that as well.
The post Malicious Websites Have Been Exploiting iOS Devices For Years appeared first on Zimperium Mobile Security Blog.