APPLE USERS were the subject of a "sustained" zero-day attack on their devices lasting at least two years, a new report claims.
Researchers from Google's notorious Project Zero division, home to white hat hackers who have named and shamed a number of its rivals in the past, said the attack took the form of a piece of malware hidden in a seemingly genuine webpage, which quietly installs itself when surfed to on the device.
This is the second set of flaws that Project Zero has found in iOS this month.
Once installed on a device running iOS 10 and above, the device becomes a clandestine spying device which reports location, contacts, messages and the like every 60 seconds. Such telemetry can give criminals a surprisingly broad picture of what a person is like, which they can then turn to their advantage.
The data collection wasn't limited to Apple apps either - in testing, the malware was able to extract data from most leading apps from third parties, including WhatsApp and Google Maps - and, yes, before you ask, it got yer GMail too.
The attack is already in the wild, though it is not known how many handsets have fallen prey, nor who is behind it - something we'll perhaps never know.
Project Zero's Ian Beer explains:
"Real users make risk decisions based on the public perception of the security of these devices. The reality remains that security protections will never eliminate the risk of attack if you're being targeted. To be targeted might mean simply being born in a certain geographic region or being part of a certain ethnic group.
"All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them."
The vast majority of vulnerabilities that Project Zero found (and there are 12 of the rotters) were in Apple's Safari browser, by far the most popular choice amongst iOS users.
The flaw has now been patched, in fact, it's been patched since February, though that's still two years worth of data-rape. - Fair play to Apple, it released the patch within 6 days of being informed of the issues. Now it's over to you - if you're on a version of iOS lower than 12.4.1 then we suggest you update. Like, now.
Apple has declined to comment. If it did, it'd probably say "Aaaaaaaagh Fuuuuuuuuuuuuuuuuuuuuck". µ
OK Google, explain 'imminent disappointment'
We'd have called it Bridget
Investor leverages his $1.2bn stake in PC maker
Social network handed over info in 88 per cent of cases