Google’s Security Team Finds iPhones Infected by Monitoring Implants

If you were a victim, let’s just say your deepest, darkest secrets were exposed and made vulnerable.

iPhone hack
If you were a victim of the hack, let’s just say your deepest, darkest secrets were exposed and made vulnerable. Jaap Arriens/NurPhoto via Getty Images

Boy, oh, boy—life, privacy and security haven’t gotten any easier in the digital age. It’s enough to make you stand up and scream, “I wish I was Amish!”

So, guess what hackers did this time.

SEE ALSO: How Much Personal Data Can Dating Apps Access From Your Phone?

No, they didn’t shout obscenities into a baby monitor or gain access to secretly film your home via your smart refrigerator. (Though they could—and have frequently have done so in the past.) 

It’s actually even worse: Back in January, researchers at Google (GOOGL)’s external security team disrupted an elaborate iPhone hacking operation that… lasted over two and a half years. And, as we all know, hacking years are like dog years, meaning that a hell of a lot of user information could’ve been obtained during that period of time.

According to The Guardian, the dubious iPhone hacking operation set a precedence for being unprecedented by attacking thousands of users—per week.

So, how did it go down? Well, here’s the rundown: Malware was attached to a visitor’s iPhone via a collection of hacked sites. “OK, great, I have an iPhone. I sometimes react to click bait, but if it looks suspicious, I immediately leave the site,” you say in your reader voice. 

Well, guess again. Users’ information and phone access were compromised simply by visiting the sites. No muss. No fuss. No interaction was needed. Yes, security compromises were made simply by clicking on the wrong website. The hackers’ methods even affected fully up-to-date phones. Holy crap.

So what user data was made vulnerable through this nefarious operation?

If you were a victim, let’s just say your deepest, darkest secrets were exposed and made vulnerable—including your location and chat histories from apps, such as WhatsApp, Telegram and iMessage—which could be uploaded into a database every damn minute.

Yes, bad news if you happen to have dreams of becoming a political candidate.

Along with that, iPhones’ keychains, containing all users’ passwords, were able to be uploaded. Also in the security vulnerability mix was the ability to obtain users’ address books and Gmail databases.

Have I said enough to make you ditch your devices and retreat to the woods yet?

Enter Ian Beer, a man who is considered one of the world’s best iOS hackers. Thankfully, he’s on our side, working for the benefit of good, as a white-hat hacker on Google’s Project Zero team, which published their findings about the hacking endeavor in a blog post last week. 

Beer’s role is to help find security vulnerabilities in software products such as Apple (AAPL)’s mobile operating system, which powers the iPhone. 

“Given the breadth of information stolen,” Beer told The Guardian, “the attackers may nevertheless be able to maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device.”

Sounds like if you were on these particular hackers’ hit list, you’d pretty much be screwed. 

But not all is dystopian grim. On the upside, once the user’s iPhone was restarted, the malware implant was cleared from memory—unless, of course, the user revisited the malware-infested site. 

On Friday, Apple finally addressed the hack and Project Zero’s report. “Last week, Google published a blog about vulnerabilities that Apple fixed for iOS users in February,” the company said in a released statement. “Google’s post, issued six months after iOS patches were released, creates the false impression of ‘mass exploitation’ to ‘monitor the private activities of entire populations in real time,’ stoking fear among all iPhone users that their devices had been compromised. This was never the case.”

Despite Apple’s reassurance, Beer said that this was only “one campaign that we’ve seen, there are almost certainly others that are yet to be seen.”

So, you have to consider is it worth the vulnerability and security of your phone to see what the cast of Saved by The Bell looks like nowadays? Maybe think twice the next time you consider pointing your mouse toward click bait. 

Harmon Leon’s latest book is Tribespotting: Undercover Cult(ure) Stories.’

Google’s Security Team Finds iPhones Infected by Monitoring Implants