For over two years, 14 critical zero-day vulnerabilities in Apple’s iOS have been weaponized into 5 privilege-escalating zero-click exploit chains that have remotely and completely taken over hundreds of thousands of iPhones. Apple’s response? Not a big deal. This was just “narrow” “targeted” campaign.
The exploits have been in some way used from at least September 2016 and the attackers were supporting their exploit chains since at least iOS 10.0.1 until 12.1.4. Infected users would immediately have all of their data from their devices uploaded to remote servers and updates sent every 60 seconds.
The data collected would include location, device model, keychain, name and serial number, phone number, contacts, messages, attachments, notes, list of installed apps, recordings, photos, files, call history, passwords and container directories of every app on the device.
The implant had a hardcoded list of apps from which it always uploaded plain-text data to the attacker controlled servers. Among the selected apps were: Gmail, Facebook, Skype, Telegraph, WhatsApp and others.