Researchers at Google’s Project Zero yesterday lifted the curtain on a long-running mobile malware operation that for years attempted to infect iOS device users with a malware implant, using exploits delivered via a small number of compromised websites.

In an online blog post report, Google researcher Ian Beer did not reveal the specific websites that were abused in the watering-hole attacks, but said they were prominent enough to receive thousands of visits per week. The attacks were not targeted in nature, but rather indiscriminate, with the intention to infect a wide range of device owners.

Altogether, Google’s Threat Analysis Group (TAG) found five distinct iPhone exploit chains covering versions iOS 10 through the latest version of iOS 12. “This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years,” states Beer in the blog post.

Between them, the five exploit chains targeted a total of 14 vulnerabilities: seven in the iPhone web browser, five impacting the kernel and two independent sandbox escapes. Many of the bugs were older ones that were previously patched, but at least one of the exploit chains was leveraging unpatched zero-day vulnerabilities at the time Project Zero reported the issues to Apple on Feb. 1, 2019. Beer says Google gave Apple a week deadline to issue a security update, which the company did on Feb. 7 with its out-of-band release of 12.1.4.

Generally, the attacks worked by first exploiting Sarafi web browser flaws, located within WebKit’s JavaScriptCore (JSC) implementation, to” achieve shellcode execution inside the sandboxed renderer process” on iOS and gain a foothold on a device, Project Zero researcher Samuel Groß explains in his own analysis of the JSC bugs. This process notably bypassed any JIT code injection mitigations that were available at the time the exploits were created.

This set the stage for the kernel exploits, which enable privilege escalation and unsandboxed code execution as root, allowing the attackers to distribute the implant.

According to Beer’s malware analysis, the implant has spyware and information stealer capabilities. It can access database files for any downloaded end-to-end encryption apps, including WhatsApp, Telegram and iMessage, allowing the enabling the attacks to read the message content in plaintext. Likewise, the implant can gather a user’s plaintext communications from Google Hangouts and Gmail , as well as copies of his or her contacts database, photos, and device keychain. The keychain, of course contains credentials, certificates and even security tokens that the adversaries can use later to access victim accounts even after the implant is no longer functional.

Finally, the implant can upload user location in real time, as frequently as once per minute if the device is online.

Project Zero’s report provides links to a deeper analysis of the five exploit chains. The first targeted iOS versions 10.0.01-10.1.1 and may have worked against fully patched versions of iOS 10 for at least two years, starting in September 2016, Beer notes. The second exploit chain was created for iOS 10.3-10.3.3.

Exploit three worked on iOS 11 – 11.4.1 and involved a separate sandbox escape exploit that abused a bug in a core IPC library. “While errors are common in software development, a serious one like this should have quickly been found by a unit test, code review or even fuzzing. It’s especially unfortunate, as this location would naturally be one of the first ones an attacker would look…” Beer states.

Exploit chain number four was crafted for iOS 12-12.1, was the one with the two discovered zero-day vulnerabilities. The fifth and last known exploit was created for iOS 11.4.1-12.1.2 and abuses a “vouchers” feature.

Beer says in some cases the vulnerabilities were due to “code which seems to have never worked” as well as “code that likely skipped QA or likely had little testing or review before being shipped to users.” SC Media has reached out to Apple for comment on the Project Zero report.

“For a long time, there was a myth spreading that iOS and OSX are secure operating systems and do not need any security systems like anti-malware to protect them… This last attack example just shows that there is no such thing as a secure operating system,” said Boris Cipot, senior security engineer at Synopsys, in emailed comments. Apple for sure did a good job of preventing attacks or making them harder to execute by restricting in how the software can be installed and where from. However this is a control process that lowers the risk of security breaches rather than eliminates it.”

“All phones are probably hackable one way or another, as anything that connects to the internet is at risk from vulnerabilities and exploitation. So a critical exploit, even if found in devices that have always been considered the safe option, is not really a surprise,” added HackerOne CEO Marten Mikos. “While Apple’s response has been quick and proactive, and their recent action to increase their bug bounty will certainly incentivize ethical hackers to work harder to protect the company, it highlights the need to have processes and practices in place to find these vulnerabilities before they become such a risk.”