A powerful, possible US government iPhone hacking toolkit
has now ended up in the hands of Russian spies
and criminal hackers.
It’s infected tens of thousands of phones at minimum,
and it’s still likely being used against new victims.
Security researchers at Google on Tuesday released a report
describing what they’re calling Coruna,
a highly sophisticated iPhone hacking toolkit
that includes five complete hacking techniques.
Each of them is capable of bypassing all the defenses
of an iPhone and installing malware on an iOS device
when it simply visits a website
containing the exploitation code.
This is the first time an iPhone hacking technique
has ever been used so indiscriminately
in a criminal hacking campaign.
So, which devices are at risk?
Well, Google notes that Apple patched vulnerabilities
used by Caruna in the latest version of iOS, iOS 26.
In fact, the exploitation techniques are only confirmed
to work against iOS 13 through 17.2.1,
so make sure your iOS devices are updated.
Coruna targets vulnerabilities in Apple’s web kit framework
for browsers, so Safari users on those older versions
of iOS would be vulnerable,
but there’s no confirmed techniques in the toolkit
for targeting Chrome users.
Google also notes that Coruna checks if an iOS device
has Apple’s most stringent security setting
known as Lockdown Mode enabled,
and it doesn’t attempt to hack it, if so.
In total, Coruna takes advantage
of 23 distinct vulnerabilities in iOS.
That’s a huge rare collection of hacking components,
and it suggests Coruna was created by a well-resourced
and likely state-sponsored group of hackers.
In fact, according to mobile security firm, iVerify,
it appears to have been written by English-speaking coders
and shares some suspicious code similarities
to a hacking tool known as Triangulation
that the Russian government attributed in 2023
to the US government.
Google has said only that the toolkit was first used
by a customer of a surveillance vendor.
From there, however, Coruna appears to have somehow ended up
in the hands of Russian spies
who used it to target Ukrainians.
Then most recently, it’s been used to infect
Chinese language websites to steal cryptocurrency
from victims, as well as emails and photos.
If this rogue tool was originally created by a contractor
for the American government, as iVerify has suggested,
it raises serious concerns about the security
of our mobile devices in a world where highly sophisticated
hacking tools created for US surveillance agencies
can leak to adversaries.
But regardless of Coruna’s origin,
Google warns that it now exists in the wild,
and it could still be adopted or adapted by any hacker group
seeking to target iPhone users.
Read more about Coruna at www.wire.com.
