Google and two cybersecurity companies have warned iPhone users about a new vulnerability that allows attackers to steal data only when visiting a website from an iOS device.
New attack tool: DarkSword
This is a set of tools called DarkSword, which, according to Google Threat Intelligence Group, as well as Lookout and iVerify, is already being used in attacks around the world. The exploit uses several vulnerabilities in iOS at once – versions of the system from 18.4 to 18.7 are at risk. According to Apple, about a quarter of all iPhones continue to run on various versions of iOS 18.
This means that potentially hundreds of millions of devices could be vulnerable to attacks using DarkSword. The main feature of the tool is that it does not need to be installed on the device. The user just needs to open the infected website. After that, data collection begins, including personal and financial information.
How the attack works and what is stolen
Unlike classic spyware, DarkSword is not designed for long-term surveillance. As Lookout researchers note, after completing data collection, the tool deletes all created files and stops working. The entire process can take a few minutes.
During this time, attackers can gain access to a wide range of information: call logs, contacts, calendars, notes, photos, screenshots, movement history and browser. Account data, iCloud content, Wi-Fi passwords, SIM card information and “Find iPhone” settings are also at risk.
In addition, the attack affects correspondence and data from popular services: iMessage, email, WhatsApp and Telegram. In some cases, even keys to crypto wallets can be stolen. After the device is rebooted, traces of the presence of malicious code practically disappear, which makes it difficult to detect the attack.
Geography of attacks and schemes
The researchers provide examples of specific incidents. One of the early cases was recorded in November: users from Saudi Arabia went to the Snapshare website, designed as a Snapchat service. After that, they were redirected to this site, and the infection occurred unnoticed.
To do this, the attackers hacked news resources and government websites. The analysts also link this group to another tool, Coruna, discovered earlier this year. It targeted devices running older versions of iOS, from 13 to 17. The experts pay special attention to the behavior of the attackers: the DarkSword code is not hidden and remains accessible, which makes it easy for other attackers to reuse it. This may indicate confidence in the ability to quickly create new similar tools even after closing the current vulnerabilities.
Don’t miss interesting news
Subscribe to our channels and read announcements of high-tech news, tes
