Google security researchers say they have found evidence of a “group making a sustained effort” to hack iPhones over at least two years.
The researchers found a number of websites being used to launch “indiscriminate” attacks on iPhones when visited. The team estimated the sites were visited “thousands of visitors per week”.
Details of the attack were published in a series of blog posts by Ian Beer, a member of Project Zero, Google’s taskforce for finding security flaws.
Beer said the sites had been hacking iPhones over “period of at least two years” and the vulnerabilities affected iOS 10 to iOS 12 – the current software.
“There was no target discrimination,” said Beer. “Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant.”
Once the bug had implanted itself on an iPhone, it could access data including contacts, images, GPS data, and saved passwords. It could also take data from apps used on the phone, such as Instagram and WhatsApp.
Google disclosed the security flaws to Apple in February, giving the company a week to fix them. Apple released iOS 12.1.4 six days later to address the problems.
Beer warned that other similar attacks could still be ongoing. “For this one campaign that we’ve seen, there are almost certainly others that are yet to be seen,” he said.
Apple declined to comment.