Apple likes to tout the security of its iOS platform, but no operating system is perfect. We’ve seen hacks targeting the iPhone, but they’re rarely so-called “zero-day” hacks that catch Apple off guard. Researchers from security firm ZecOps now say they’ve found such an attack in the wild. According to ZecOps founder Zuk Avraham, a flaw in Apple’s Mail app allows attackers to infect a device with malware without any interaction from the user, and it’s being used against high-profile targets right now.
Avraham, a former Israeli Defense Force security researcher, says the company began investigating the vulnerability last year after several clients reported unusual crashes in the Mail app. The company traced the errors to a pair of previously unknown vulnerabilities in the latest versions of iOS. One of them is a “zero-click” flaw, meaning the user doesn’t have to interact with the malicious message at all. Simply receiving it in the Mail app is enough to trigger the payload.
This Mail flaw is reportedly clunky compared with some other attacks. It relies on sending very large emails that may be blocked by some email providers. It’s also limited to the iOS Mail client. If someone chooses to use Gmail or another app, the attack will not work. Even though it’s not the most sophisticated method, it’s still a zero-day, and that means Apple had no defense in place. That alone would make the hack highly valuable. Zero-day attacks of any type are valuable, but iOS flaws are particularly sought after. Android is open source, so there’s a high chance someone else will spot vulnerabilities. With the closed-source iOS, having a reliable hack could pay off for a much longer time until someone with more scruples stumbles upon it.
Avraham believes the attack originated with an unknown third-party but has been sold to at least one group of state-sponsored hackers. Current targets include high-level executives at large and mid-sized companies. So, you probably don’t need to be too worried right now. Worst case, you can stop using the iOS Mail app until there’s an update. You won’t have to wait very long, either. Apple confirms the vulnerabilities identified by ZecOps are patched in the latest iOS beta. That version should roll out to the general public in the coming weeks.
- Security Researchers Finally Figure Out ‘Unkillable’ Android Malware
- Firefox Zero-Day Used to Install Mac Malware
- Sophisticated Surveillance Malware Spotted on Android and iOS Phones