back to article Google security crew sheds light on long-running super-stealthy iOS spyware operation

Google's Project Zero says more than a dozen iOS flaws that Apple patched back in February had been under attack for years. Zero team bug hunter Ian Beer explained how the collection of fourteen vulnerabilities in various components of the OS, ranging from the browser to the kernel, were chained together to covertly launch …

  1. A random security guy

    Entire populations: State sponsored?

    Targeting ethnic groups? Implies state sponsored.

    Targeting people BORN in certain geographical regions? => state sponsored.

    Longevity of operation is years? State sponsored?

    Only monitoring for years? State Sponsored?

    Exploits worth more than $20M? State sponsored?

    These exploits would have been worth a lot of money.

    1. robidy

      Re: Entire populations: State sponsored?

      Even the BBC failed to get a PR comment...guess El Reg asked ha ha.

    2. DougS Silver badge

      Re: Entire populations: State sponsored?

      There are really only two likely candidates for the "state" here, Israel and China. Each have ethnic groups / regions they're trying to repress, have the organization to develop such complex exploit chains, and most importantly iPhones have a high enough penetration within the country to make it worthwhile (in China the installed base is far more favorable for iPhones than simply looking at the sales of new devices) None of the other states repressing ethic/regional minorities that have the technical capability of doing this like Iran or North Korea would have enough iPhones to make it worth the expense.

      It is too bad Google didn't reveal the websites in question, but I guess doing so would have made it obvious not only which state this was but who was being targeted, and they didn't want the potential blowback from calling someone out like that. Since Google has little to lose by calling out China I have to guess this was Israeli developed.

      1. Pier Reviewer

        Re: Entire populations: State sponsored?

        So the US isn’t even in contention?...

        1. DougS Silver badge

          Re: Entire populations: State sponsored?

          For this particular case, no. The US certainly develops their own exploits against everything out there, but the specific wording of Google's writeup indicates they are targeting a particular ethnic group and region. Who would the US be targeting, unless you want to argue Trump ordered the CIA/NSA to use their exploits to target Mexicans?

          1. John Brown (no body) Silver badge

            Re: Entire populations: State sponsored?

            Agreed. If this was the US, they'd be targetting everyone.

          2. TheVogon Silver badge

            Re: Entire populations: State sponsored?

            Chinese? Iranians? North Koreans? Or any ethnic group where the US could benefit from theft of IP like we know the US have done for decades?

        2. jgarbo
          Devil

          Re: Entire populations: State sponsored?

          The US doesn't spy. It's a democracy. It protects...

          1. Mahhn

            Re: Entire populations: State sponsored?

            The US isn't a Democracy. It is a Democratically elected Republic. Although many call it a plutocracy due to corruption.

      2. MiguelC Silver badge
        Holmes

        Re: Entire populations: State sponsored?

        Although it's usually wrong to make this kind of assumptions, you might be correct after all. It's been revealled that the malware was designed to target the Uyghur community in China’s Xinjiang state. From there on, no great investigative skills are needed...

      3. Binra

        Re: Entire populations: State sponsored?

        What if the idea of the 'state' is in effect captured as a proxy or extension of a broad spectrum corporately networked capacity?

        What if whether known to Apple or not, agents within its employ set up or leaked the various components independently that can then be drawn together by a third party at some remove?

        The ability to conceal toxic debt or intent in complex instruments of packaged obfuscation is part of the attempt of gaining power by the back door (deceit). The essential being to armour against exposure by trails of plausible deniability - which is itself the usurpation of National Security (anywhere) for private agenda.

        Rather than make a conspiracy theory - why not see that this is the way the mind works when it no longer trusts, believes or engages in relational communication - not least from believing its own spin.

        1. Halfmad Silver badge
          Trollface

          Re: Entire populations: State sponsored?

          You write about not making a conspiracy theory but your entire post is full of conspiracy ideas.

      4. Charlie Clark Silver badge

        Re: Entire populations: State sponsored?

        How come you ignored Russia?

        Surveillance of the Uighurs in China is already so extensive that I'm not sure the Chinese need more. I'm also not convinced that Xinjian is a hotspot for I-Phones.

        Israel is certainly likely, not necessarily for spying on the Palestinians, but because it receives such massive "military assistance" funding and already doing contract work for the US spooks, especially the stuff the US isn't allowed to do itself, like spy on US citizens.

        But, basically, most governments are interested in this kind of capability.

        1. DougS Silver badge

          Re: Entire populations: State sponsored?

          Russia has a very low penetration of iPhones (and it is probably even lower for repressed minorities like Chechens) relative to China and Israel so it seems like the cost/benefit ratio isn't there.

      5. Buzzword

        Re: Entire populations: State sponsored?

        China spying on Uighurs, Israel spying on Palestinians, even Russia spying on Chechens and Ukrainians. But are iPhones affordable in those parts of the world? If not, that suggests that both perpetrators and victims may be closer to home.

        1. matt 83

          Re: Entire populations: State sponsored?

          Come one guys, RTFA.

          Right at the bottom it says Windows PCs and Android devices were also targeted.

          The only reason the headline is about IOS devices is that

          1) attacks on it are a bit rarer than android or windows.

          2) it has a reputation for security

          3) it makes a lot of noise about how it totally protects your privacy

          4) it's a google researcher ;)

      6. David Leigh 1

        Re: Entire populations: State sponsored?

        If I was as ignorant as you, I wouldn't want the public to know, I'd just keep quiet!

    3. Potemkine! Silver badge

      Re: Entire populations: State sponsored?

      I'm not that sure. If mafias see a particular ethnic group as more interesting than other's to attack because of cultural habits can use, they will.

      Ok, the probability for that to be true is less lower than your hypothesis ^^

    4. JulieM Silver badge

      Re: Entire populations: State sponsored?

      Need it be a nation state, though? I mean, really?

      Governments are not the only entities with that kind of money anymore. There are corporations out there with spending powers that would put them safely on the World stage.

      Is it really that great a leap to imagine a corporation spotting a strong enough correlation to make it worth targetting an entire ethnic group, if they caught a faint whiff of money in it? If you run the numbers, and discover that a certain group of people have a certain habit in common -- not universally, but sufficiently more so than the general population to be worthwhile -- and there is a way for you to get some of that action, wouldn't you? A corporation would justify it by saying not to do so would be a disservice to their shareholders. (Never mind the disservice they were doing to victims of the very racism being promoted by playing to the stereotype.)

      Of course, if that ethnic group happens to be anything besides "European Agnostics", it is going to require extraordinary sensitivity even to report the story without inflaming tensions. The far right will claim that one particular stereotype happening to line up with observed reality in some cases proves them correct, while members of the minority in question will be understandably angry.

      Actually, I can see the attraction in believing it to be a nation state responsible for this after all. Much less nasty stuff to think about .....

      1. Anonymous Coward
        Anonymous Coward

        Re: Entire populations: State sponsored?

        Sometimes it is just an inquisitive child... see the many stories in the news for that.

        In reality only linked factual observations and data will give and answer. Musings only narrow down the search space.

        Anon. For the fun. Because who need to know already do.

  2. Anonymous Coward
    Anonymous Coward

    Consequences

    "Anyone worried about infection will want to make sure they are running the latest version of iOS (or anything from after February, really)"

    Had a friend who had an apple phone and clearly it was infected I started receiving malware emails and bogus phone calls. It looks like it's been infected for 5 years.

    Those of you are plagued with this crap is change your email address and phone number.

    1. Anonymous Coward
      Anonymous Coward

      Re: Email?

      Weak passwords are enough the compromise an email. Has nothing to do with a phone!!!

      1. Robert Grant

        Re: Email?

        Knowing an email address is enough to receive spam. No passwords required.

  3. SW10

    So, can we know...

    ...the websites concerned?

    I’m not for a second thinking that I’m either interesting enough or threatening enough, but presumably that would provide a fairly strong indication of who the targets are?

    Or is $Actor so scarily powerful that Google don’t dare to reveal that information?

    More questions than answers

    1. A random security guy

      Re: So, can we know...

      Website: It is far more effective to hack websites that are poorly administered rather than websites you control to prevent a direct trail to you. Hackers employ indirection to prevent casual administrators from determining who is running the CnC operations. A skilled forensics person will be able to do a better job. But that takes money. Better is to rebuild the website.

    2. DougS Silver badge

      Re: So, can we know...

      As I said above, since they indicated it was targeted at particular ethnic groups / regions it is almost certain that revealing the websites would make it quite obvious who was being targeted and therefore who was doing the targeting, and Google didn't wish the potential blowback from calling them out. My money is on Israel, because Google would have little to lose by calling out China since they have very little presence there.

  4. This post has been deleted by its author

    1. HmYiss

      OK.. You be sure. If it makes you sleep better.

  5. Anonymous Coward
    Anonymous Coward

    "We estimate that these sites receive thousands of visitors per week."

    So... which websites?

    I did not see a list of infected sites or even any WHOIS results of registrars.

    I would think this would be the most important part of the research.

    (Or did I miss something?)

    1. DougS Silver badge

      Re: "We estimate that these sites receive thousands of visitors per week."

      Yes, that there was a pretty obvious reason why they didn't want to reveal the websites, because it would have called out the state that sponsored the development of these complex exploit chains.

    2. jgarbo
      Big Brother

      Re: "We estimate that these sites receive thousands of visitors per week."

      Mr Beer has inadvertently uncovered a state-sponsored honey pot. I suspect he was told how much to reveal, ie the malware and its eradication, but nothing more, or else...meanwhile new malware is being written and uploaded. The game goes on.

    3. Anonymous Coward
      Anonymous Coward

      Re: "We estimate that these sites receive thousands of visitors per week."

      Oh. Interesting. Just realized something. Would also wonder what kind of sites those were.

  6. Bronek Kozicki Silver badge

    This is bad

    Someone, somewhere holds huge database of personal details of a significant number of people (many millions, quite likely), including where and when they moved, all their messages sent and received and all authentication keys. Oh, and they are not named Google (otherwise it would be billions and business as usual)

    I wonder if that database might possibly leak some day.

  7. mark l 2 Silver badge

    This is another reason why mono-cultures in browser engines is a bad idea. We are heading towards a system where the majority of browsers will be built on Chromium and so will be vulnerable to all the bugs found in that code, and on iOS you can only use Safari browser so every iPhone is vulnerable to bugs in webkit rendering engine.

    At least for now on PCs, Macs and Android you can install alternative browser such Firefox, but the market share is slowly shrinking for alternative browsers.

    1. Sir Runcible Spoon Silver badge

      "and on iOS you can only use Safari browser"

      I've installed two other browsers on my iPAD, one of which is Firefox.

      1. Victor Ludorum

        Ah yes but

        To quote https://developer.mozilla.org/en-US/docs/Mozilla/Firefox_for_iOS

        'Because of Apple's App Store restrictions, it also uses the built‑in iOS WKWebView, which is based on WebKit rather than Gecko.'

        So it's still susceptible to any WebKit vulnerabilities.

        1. Robert Carnegie Silver badge

          Re: Ah yes but

          Can you still get Opera in the "data compression" mode? Basically the vulnerable end of the browser runs on Opera's server and isn't limited to Webkit on your phone. What you actually receive is an edited version of the important stuff from web pages. I think.

  8. Chairman of the Bored Silver badge

    Emails and contacts...

    A lot of corporate iThing use cases do not involve use of Apple's email and contact applications but instead rely on Blackberry's sandboxed "Good App" or whatever it's called now. One wonders if this exploit worked on these or only the vendor-supplied tools.

  9. Anonymous Coward
    Anonymous Coward

    It's probably Porn sites that are targeted for infection. Surf to a site, and there ya go.

  10. JimM

    Why are we hearing this from Google and not Apple? Have Apple hushed this up?

    1. sabroni Silver badge

      re: Have Apple hushed this up?

      Only if you consider Google putting out a press release an Apple cover up.

      This is simple. Apple didn't publicise this because it makes them look bad. Google publicised this because it makes Apple look bad.

  11. rmstock

    iOS Exploit avalanche, full scale overseas attack on iPhone

    Trump urged American companies, who operate overseas, to come home. Apple is the premier American company who is at the cross roads to either become a State owned China vehicle (which Google obviously has become) or move all operations back to US mainland and remain the corporation Americans expect Apple to be. Apple must have been pondering to do full return to America. Next Google plays the Project Zero card, which one can translate as the Chinese Peoples Party ordering Google to sink the Apple iPhone division in any way, shape or form possible. It is important to realize that Apple is foremost a hardware company and Google is still far away from reaching such a level. Rumors have it that Google is mainly a global company, facilitating IT services for the secret service branches of several countries.

    1. AmishFuturist

      Re: iOS Exploit avalanche, full scale overseas attack on iPhone

      Of course. And my gran runs a covert operation for Mossad. Out of her corner shop.

  12. g00se2

    >>Project Zero dissects years-long surveillance campaign<<

    Pot analyses nature of kettle's blackness?

  13. ubuuntu

    Uh-oh

    Isn't it hilarious that a guy from Google preaches fear and hidden costs of "the capability to target and monitor the private activities of entire populations in real time"??? That's your company's business model dude.

  14. Binra

    What if the idea of the 'state' is in effect captured as a proxy or extension of a broad spectrum corporately networked capacity?

    What if whether known to Apple or not, agents within its employ set up or leaked the various components independently that can then be drawn together by a third party at some remove?

    The ability to conceal toxic debt or intent in complex instruments of packaged obfuscation is part of the attempt of gaining power by the back door (deceit). The essential being to armour against exposure by trails of plausible deniability - which is itself the usurpation of National Security (anywhere) for private agenda.

    Rather than make a conspiracy theory - why not see that this is the way the mind works when it no longer trusts, believes or engages in relational communication - not least from believing its own spin.

  15. J J Carter Silver badge
    Trollface

    When under state surveillance...

    If they’d done nothing wrong, they have nothing to worry about.

    1. jackofalltrades

      Re: When under state surveillance...

      LOL I wonder who downvoted even though there's a trollface.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019