Google lays out iOS malware exploits found in the wild, but already patched by Apple back in February

As you make your way around the blogosphere this morning, you’re sure to see a number of articles highlighting mysterious or indiscriminate iPhone attacks, quietly hacking iPhones for years.

There’s a nugget of truth there, but as always, best to go straight to the horse’s mouth, this blog post from Google’s Project Zero.

Earlier this year Google’s Threat Analysis Group (TAG) discovered a small collection of hacked websites. The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day.

There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant.


TAG was able to collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12. This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.

Most importantly:

We reported these issues to Apple with a 7-day deadline on 1 Feb 2019, which resulted in the out-of-band release of iOS 12.1.4 on 7 Feb 2019. We also shared the complete details with Apple, which were disclosed publicly on 7 Feb 2019.

So, the way I read this, Google uncovered the threat, reported it to Apple back in February, and Apple issued a patch pretty much immediately.

This is a news story, fair enough, but it’s about a problem that’s been long solved. Keep that grain of salt deeply in mind.