Government iPhone Spyware Now in Hackers’ Hands

Security researchers have uncovered a sophisticated hacking toolkit targeting iPhones, revealing a dangerous intersection of state-level cyber tools and widespread criminal activity. Google’s Threat Intelligence Group and the security firm iVerify have detailed an exploit framework called Coruna, which systematically attacks iPhones running older, unpatched iOS versions. This kit combines five distinct exploit chains and leverages 23 different vulnerabilities to infiltrate devices from iOS 13 up to iOS 17.2.1. The attack begins when a user visits a compromised website. Hidden JavaScript code probes the device to identify its model, operating system version, and security configurations. Based on this information, the exploit chain activates, methodically bypassing iOS’s built-in protections to gain elevated system privileges. Once inside, it can deploy malware capable of stealing sensitive data or downloading additional malicious modules. Notably, the attack checks for two specific user defenses: it will abort if it detects that Lockdown Mode is active or if the browser is in private browsing mode. This sophisticated behavior underscores the toolkit’s advanced design. Crucially, the exploit is only effective against iPhones that have not been updated, highlighting the critical importance of installing the latest iOS security patches.

A deeper analysis of Coruna’s architecture points to a troubling origin story. iVerify’s technical report suggests the framework was constructed using the same foundational code as known cyber tools associated with United States government agencies. This indicates that what began as a tool for state-level intelligence gathering has now fallen into the hands of criminal groups. iVerify describes this as the first documented case of a criminal syndicate conducting mass exploitation of mobile phones, including iPhones, using tools originally likely developed by a nation-state. Evidence suggests the code was leaked or otherwise obtained and is now being deployed in campaigns linked to Russian espionage actors and cybercriminals based in China. This leak reflects a broader, alarming trend where powerful spyware has expanded far beyond its traditional targets like journalists and activists. Recent reports show these tools are increasingly used against corporate executives in technology and finance, political campaigns, and other influential individuals. As the use of such software widens, the probability of it being captured and repurposed by hostile actors grows significantly.

In the wild, Coruna has been distributed through what are known as “watering hole” attacks. Hackers compromise legitimate websites or create convincing fake ones, often posing as cryptocurrency services, to lure victims. Once a user visits these malicious pages, the exploit kit is silently delivered to their device. The primary goal in these observed campaigns appears financially motivated. The final payload includes specialized modules designed to scrape cryptocurrency wallet information and secret recovery phrases directly from infected iPhones, aiming to drain digital assets. This shift from espionage to financial theft demonstrates how potent cyber weapons can be repackaged for different criminal objectives once they enter the broader underground market. The discovery of Coruna serves as a stark reminder of the persistent digital threats facing mobile users and underscores the non-negotiable need for consistent software updates and heightened security awareness.

(Source: 9to5Mac)