Researchers from Google and cybersecurity firms iVerify and Lookout on Wednesday jointly disclosed the discovery of a sophisticated iPhone hacking technique, known as DarkSword, that they have observed in use on infected websites, capable of instantly and silently hacking iOS devices visiting those sites. Although this technique does not affect the latest, updated versions of iOS, it does work against iOS devices running versions of Apple’s previous operating system release, iOS 18, which, according to Apple’s own calculations, still accounted for about a quarter of iPhones as of last month.
“A large number of iOS users could have all of their personal data stolen just by visiting a popular website,” says Rocky Cole, co-founder and CEO of iVerify. “Millions of people who are still using older Apple devices or older operating system versions remain vulnerable.”
The iPhone-hacking campaign that used DarkSword comes just two weeks after the revelation of another, even more sophisticated and fully featured hacking toolkit known as Koruna, which was described by Google as a Russian state-sponsored espionage group and other hacker groups. Although DarkSword appeared to have been created by different developers from Coruña, researchers found that it was used by the same Russian spies. Like Koruna, it was also embedded into components of legitimate Ukrainian websites, including online news outlets and a government agency site, to harvest data from visitors’ phones.
Still, what’s worrying, says iVerify co-founder and researcher Matthias Frilingsdorf, is that the hackers who carried out that spying campaign left the complete, explicit DarkSword code — with explanatory comments in English that describe each component and include the “DarkSword” name for the tool — available on those sites for anyone to use and reuse. He says this carelessness practically invites other hacker groups to adopt it and target other iPhone users. “Anyone who manually grabs all the different parts of the exploit can put them on their Web server and start infecting phones. It’s as simple as that,” Frilingsdorf says. “It’s all well documented too. It’s really very simple.”
WIRED contacted Apple for comment on the researchers’ findings, but the company did not comment. Google declined to comment beyond its ongoing blog post about its DarkSword findings.
According to Lookout, DarkSword is designed to steal data from vulnerable iPhones including passwords and photos; Log in from iMessage, WhatsApp and Telegram; browser history; Calendar and Notes data; And even data from Apple’s Health app. Despite the apparent espionage focus of the hacking campaign, Darksword also stole users’ cryptocurrency wallet credentials, suggesting that the hackers may have had a potential side business in cybercrime for profit.
Instead of installing existing spyware on users’ phones, DarkSword uses stealth techniques often seen in “fileless” malware that typically target Windows devices, hijacking legitimate processes in the iPhone’s operating system to steal data. “Instead of using a spyware payload to brute-force its way through the file system – which leaves a lot of exploit artifacts that are much easier to detect – it uses system processes the way they should be used,” says iVerify’s Cole. “And it leaves very little trace.”
<a href