Millions of iPhones attacked through security hole in iMessage messaging service

Accordingly, this malware took advantage of a security vulnerability in the iMassage messaging service provided by Apple to send malicious code and take control of the device.

iMessage is known as Apple's messaging service exclusively for devices in the "apple" ecosystem such as iPhone, iPad, iPod touch or MacBook, operating through mobile data networks or Wi-Fi. iMessage messages will be completely encrypted and appear as blue messages. Besides, sending iMessage messages will be completely free, only requiring your phone to access the network.

Illustration photo.

The malware was discovered when Kaspersky suspected that something was amiss with the operation of iPhones owned by employees, including middle and senior managers, such as the devices running unusually slow and failing to update to the new iOS operating system. Unable to examine the iPhones from the inside, Kaspersky created offline backups of the devices they believed to be infected and found evidence of the malware.

Security software maker Kaspersky said it was a targeted campaign against iPhone owners by a cybercriminal group. Kaspersky called it “Operation Triangle.”

How does malware work?

Cybercriminals will use the iMessage messaging app to send messages with malware attached to targeted iPhones. The malware will itself take advantage of security holes in the iOS operating system to execute code and install malware without the iPhone user having to do anything.

The malware can then infiltrate iOS without the user knowing. Once successfully installed, it will “listen” to remote hackers every time the device connects to the Internet.

Kaspersky said that by exploiting the vulnerability, the malware had unrestricted access to the iPhone and ran a series of commands to collect personal information, including microphone recordings, images from messengers, and geolocation. Even deleted messages could be recovered. After stealing data, the software automatically erases traces, making it difficult for users to detect that their iPhone was infected with malware.

How to remove this malware from iPhone?

An easy way to tell if this malware is present on your iPhone is if you are unable to update your device to a newer version of iOS. Since iOS updates are blocked, it is currently impossible to remove this malware without losing user data.

Therefore, the only way to remove the malware from the user's iPhone device is to restore the factory settings and download the latest version of iOS. However, this may not be possible for some older iPhone models because they are not supported for new operating system updates. On the other hand, even if this malware is deleted from the iPhone device's memory, after a reboot, it can still infect again through vulnerabilities in the outdated version of iOS.

The “triangle operation” is estimated to have been active since 2019 and is still ongoing. Apple is believed to have known about the vulnerability and patched it, as only iPhone models running iOS 15.7 or earlier are vulnerable.

According to Apple, more than 80% of iPhone users have updated to iOS 16, meaning the majority are no longer vulnerable to attacks. However, with 1.36 billion active iPhones in the world, 258 million iPhone users could still be targeted.

Kaspersky said that iPhones are easy targets for attacks like this because the iOS operating system is like a “black box” where malware can easily hide for years. Apple has a monopoly on research tools, so detecting these threats is not easy.

According to Kaspersky, this is just the beginning of the investigation into this sophisticated attack and there is still a lot of work to be done in the coming time. As the investigation continues, new data related to this malware will be published at the International Conference on Cyber ​​Security taking place in October./.