A malicious website can infect my iPhone. Fact or fiction?

September 4, 2019

The idea that iPhones are totally immune to threats has been debunked time after time. In fact, though the Apple smartphones may present a smaller target than Android devices, some say you can pick up all sorts of malware just by opening a dangerous website, without knowingly downloading and installing anything from that site. In this post, we find out whether that is true.

Truth: Malicious websites have been cracking iPhone security mechanisms for more than two years now

Researchers from Google’s Project Zero have discovered several hacked websites that have been attacking iPhones for at least two years now. To achieve that, attackers exploited 14 software vulnerabilities, seven of which are in Safari, the browser the vast majority of iPhone owners use.

Two other vulnerabilities have allowed malware to escape the sandbox that iOS uses to prevent one app from accessing (not to mention changing) other apps’ data. And the last five affect the iOS’s kernel, which is the central component of the operating system. Breaking the kernel gives the attacker root privileges, which not even the owner of the iPhone possesses.

The malicious websites in question were capable of attacking almost all current versions of Apple’s mobile operating system, from iOS 10 to iOS 12. The attackers changed their strategies in response to updates, refocusing their efforts entirely on new vulnerabilities.

What kind of malware was installed on infected iPhones

The infected websites managed to install spyware on the devices of victims, where it obtained unlimited device access privileges and worked in the background so that users wouldn’t notice a thing. It would then extract and send data from the device to a command-and-control server every minute, literally. The spyware was interested primarily in the following:

  • Passwords and authentication tokens stored in the iCloud Keychain. Attackers were able to use these credentials to gain persistent access to victims’ accounts and steal data from them even after the spyware was deleted from the device;
  • Messages in the iMessage, Hangouts, Telegram, Skype, Voxer, Viber, and WhatsApp messengers. The malware stole information from the app databases, where all messages are stored in unencrypted form;
  • Messages in the Gmail, Yahoo, Outlook, QQmail, and MailMaster mail apps. The spyware was also able to obtain them from the corresponding app databases;
  • Call history and SMS;
  • Real-time information about the device’s location if GPS was enabled;
  • Address book;
  • Photos;
  • Notes;
  • Voice memos.

In addition, if the command-and-control server requested it, the malware sent its owners a list of apps on the device and could follow up with data from any of them. Worse, it transmitted all of that information in plain text format. In other words, if an infected iPhone connected to a public Wi-Fi network, then anyone — not just the spyware’s operators — could see the passwords, messages, and other information about the victim that the malware sent.

It is noteworthy that the developers of the spyware were indifferent about whether the malware was able to gain a firm foothold in the system; it would disappear from the smartphone on reboot anyway. But given how much information the malware managed to steal at once, its disappearance is small consolation.

The threat has now passed … or not?

Apple developers fixed the last vulnerabilities that cybercriminals were able to exploit as part of this campaign in iOS 12.1.4 in early February, 2019. Thus, the latest versions of the operating system are protected against these specific attacks.

Nevertheless, according to experts, several thousand users a week visited the malicious websites. This means that in all likelihood there were a lot of victims. In addition, the now-neutralized Web pages may be superseded by new websites exploiting vulnerabilities yet to be discovered.

How to avoid infecting your iPhone with malware

As you can see, your Apple smartphone really can be infected by a malicious website, and the consequences can be very serious. Therefore, we recommend that you exercise caution, even if you are convinced that nothing can threaten your gadget.

  • Make sure your iPhone is always running the latest version of iOS. Download updates as soon as they become available. Developers fix vulnerabilities that cybercriminals could take advantage of (and, as you see, this threat is not theoretical at all) in new iOS versions.
  • Do not click on links in ads, e-mails, messages from strangers, and so on. You should also be careful when it comes to search results: If you have doubts about the integrity of a particular resource, it is better not to open it at all.

A security solution using behavioral analysis technology that could block even previously unknown threats might be one way of securing the iPhone. However, unfortunately, no full-fledged antivirus solutions are available for iOS.

In summary: Is it true or a myth that the iPhone can be infected just by visiting a malicious website?

It is true. Malicious websites can exploit vulnerabilities in the mobile browser and in iOS itself to install all sorts of malware. The resources Google’s Project Zero researchers cited are no longer dangerous, but new ones could appear at any time.