The campaign may have affected hundreds of thousands of users, complicating Apple’s situation at a time when it is trying to drum up interest for its upcoming new iPhone release and assure users that its hardware is less susceptible to hacking than other phones.
The hack would allow the malicious actors to record text messages, photos and the location of the device. Apple said it fixed the flaw in February.
“Google’s Threat Analysis Group was able to collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 to the latest version of iOS 12. This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years,” the company said.
The news came just hours after Apple said it would hold a future product launch on Sept. 10. Apple recently also apologized for not telling people that hired contractors were listening to voice recordings of Siri users.
For a long time, Apple has been reporting that iPhones are less vulnerable to hacks than Androids.
Alex Stamos, who used to work at Facebook and is now at Stanford, said that “this is a huge find by Google’s team.”
Marcus Hutchins, a researcher best-known for helping to stop the WannaCry attack in 2017, said, “This is wild. Maybe I’m missing something, but it feels like Apple should have found this themselves.”
Google researcher Ian Beer said, “There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant.”