Security researchers with Google's Project Zero recently discovered malware that can spread to any iOS device that visits one of a number of hacked websites. The websites, which were not named in the report, receive more than a thousand visitors per week.
The new malware capitalized on 14 security exploits, including several 0-day vulnerabilities in iOS. It has already infected devices running iOS 10 through iOS 12.
According to the Project Zero report, the hackers created "five separate, complete and unique iPhone exploit chains," suggesting a sustained effort for more than two years to hack the iPhones of users in certain communities.
After a user visits an infected website, malware installed on the device collects a large amount of sensitive data, including text messages, photos, and real-time GPS locations, all while running unnoticed in the background.
Apple fixed the vulnerability with a security update in February, but only after the infected websites had been in operation for more than two years.
Many security researchers believe this malware is state-sponsored. Ziad Alim "Researchers Reveal The Most Dangerous Piece Of iOS Malware Ever Seen" arizonadailyregister.com (Sep. 2, 2019).
The "drive-by download" is a type of malware attack that does not require any interaction on your part, meaning malware can infect your computer or device even if you do not click on anything. All you need to do is visit a compromised website for to malware to automatically download onto your device.
In addition to the above attack, Google's Project Zero researchers found a wild iOS exploit in August that would allow malware to take over a targeted device without the user downloading it. Fortunately, Apple fixed the issue and there is no sign that the exploit was used.
However, these two malware cases are a reminder that users need to take precautions beyond avoiding clicking on unknown links or attachments in emails.
Luckily, there are steps you can take to reduce your risk of falling prey to a drive-by download. Generally, these attacks exploit vulnerabilities in a browser, app, or operating system. Keeping these up-to-date will go a long way in protecting your computer or device from drive-by downloads.
Enabling your firewall and installing ad blocking software can also reduce your risk of a drive-by download. Use a search tool or web-filtering software that warns you if a site contains malware.
Criminals may install malware on websites that look safe. However, certain types of websites are more likely to contain malicious content. Always avoid adult-only and file-sharing sites, as they pose the greatest risk.
Finally, the two attacks discussed above are a reminder that even devices running iOS are vulnerable to malware. Never assume that you are safe because of the type of computer or mobile device you have. Always follow cybersecurity best practices, whether your operating system is Windows, iOS, or something else.