A previously unknown advanced persistent threat (APT) targets iOS devices as part of a sophisticated, long-running mobile campaign dubbing Operations Triangulation which started in 2019.
“The target is infected using a clickless exploit via the iMessage platform, and the malware runs with root privileges, gaining full control over the device and user data,” Kaspersky said.
The Russian cybersecurity firm said it found traces of the compromise after creating offline backups of the targeted devices.
The chain of attack begins with an iOS device receiving a message via iMessage containing an attachment containing an exploit.
The exploit is said to be zero-click, meaning that receiving the message triggers the vulnerability without requiring any user interaction to achieve code execution.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
It is also configured to take additional payloads for privilege escalation and drop late-stage malware from remote servers in what Kaspersky describes as a “full-featured APT platform.”
The implant, which runs with root privileges, is capable of harvesting sensitive information and is equipped to run code downloaded as a plugin module from the server.
In the final phase, the initial message and exploits in the attachments are removed to remove all traces of infection.
“Malicious devices do not support persistence, most likely due to (operating system) limitations,” Kaspersky said. “Timelines of some devices indicate they may be reinfected after rebooting.”
The exact scale and scope of the campaign remains unclear, but the company says attacks are ongoing, with the infection making its way onto devices running iOS 15.7, which was released on September 12, 2022.
It is also currently unknown whether the attack exploits a zero-day vulnerability in iOS. The Hacker News has reached out to Apple for further comment, and we’ll update the story when we hear back.