Millions of iPhones Targeted by New DarkSword Spyware

Cybersecurity experts are raising urgent concerns about a new and highly effective spyware toolkit called DarkSword, which poses a significant threat to iPhone users worldwide. This sophisticated attack method can compromise a device without requiring the victim to download any software, making it exceptionally dangerous and difficult to detect. The threat underscores the critical importance of keeping your iOS software fully updated to the latest version available.

Google, in collaboration with cybersecurity firms Lookout and iVerify, has issued a detailed warning about this exploit. Their reports indicate that DarkSword leverages multiple security vulnerabilities found in iOS versions 18.4 through 18.7. Given that Apple’s own data suggests nearly a quarter of all iPhones are still running some form of iOS 18, the potential scale of this threat is enormous. This translates to hundreds of millions of iOS devices that could be susceptible to infection if they have not installed the most recent security patches.

The mechanism of the attack is what sets it apart. A user only needs to visit a compromised website to trigger the infection. There is no malicious app to install; the spyware executes silently in the background. Once active, DarkSword operates with remarkable speed and stealth. It is not designed for long-term monitoring. Instead, it rapidly collects targeted data, transmits it to the attackers, and then erases traces of its activity from the device. The entire process, from infection to data theft and self-cleanup, may take only a few minutes, leaving almost no evidence behind after a device restart.

The range of information DarkSword can steal is comprehensive and alarming. It includes call logs, contacts, calendar entries, photos, notes, and location history. The spyware can also access web browser data, account credentials stored in the device keychain, WiFi passwords, and iCloud content. Sensitive data from messaging apps like iMessage, WhatsApp, and Telegram is vulnerable, as are email accounts and even cryptocurrency wallet credentials.

Adding to the concern is the apparent indifference of the hackers behind these campaigns. They have not taken steps to hide their code after attacks, leaving it accessible for other malicious actors to find and use. This suggests the operators are confident they can develop new tools even if current exploits are discovered and patched.

Specific attacks have already been documented. In one early incident last November, Saudi Arabian users were targeted through a deceptive website posing as a Snapchat-themed platform called “Snapshare.” More recently, a hacker group with suspected ties to the Russian government, identified as UNC6353, used DarkSword to target iPhone users in Ukraine. This group compromised legitimate Ukrainian news and government websites to deliver the spyware. This same threat actor is believed to be responsible for a similar exploit called Coruna earlier this year, which targeted devices running older iOS versions from 13 through 17.

The discovery of DarkSword highlights a persistent and evolving threat to mobile security. Users are strongly advised to immediately update their iPhones to the latest version of iOS to protect against these known vulnerabilities. Remaining vigilant about the websites you visit is also crucial, as this attack vector requires no interaction beyond loading a malicious page.