Google, along with two cybersecurity firms, are warning iPhone users of a new exploit that can steal data — all from just visiting a website on a user’s iOS device.
DarkSword is a new hacking toolkit being deployed by bad actors on a global scale. The reports by Google Threat Intelligence Group and cybersecurity companies Lookout and iVerify detailed multiple vulnerabilities used to carry out attacks against iOS devices running versions 18.4 through 18.7.
According to Apple’s own developer website, nearly 25 percent of all iPhones are still on some version of iOS 18. Wired points out that this means there are potentially hundreds of millions of iOS devices susceptible to DarkSword.
What makes DarkSword so concerning? Unlike most malware, DarkSword doesn’t need to be installed on a target’s device. A victim simply needs to visit an infected website. From there, DarkSword steals personal or financial data. And unlike most spyware, DarkSword isn’t being used for long-term espionage.
“As opposed to many other previously reported cases of sophisticated attacks on mobile devices, DarkSword is not designed for ongoing surveillance,” writes Lookout in its report. “Once it finishes collecting and exfiltrating the targeted data, it deletes the files it created on the filesystem of the device and exits. Its dwell time on the device is likely in the range of minutes, depending on the amount of data it discovers and exfiltrates.”
Mashable Light Speed
Hackers utilizing DarkSword take what they want from the victim within a short period. Once an infected device is restarted, the spyware is nearly undetectable on the device.
Iran-linked hackers launch cyberattack against U.S. medtech company Stryker
DarkSword can be used to siphon all sorts of personal data from an iOS device to a nefarious actor. Call logs, contacts, calendars, notes, photos, screenshots, location history, web browser history, signed in account identities, device keychains, SIM card info, Find My Phone settings, WiFi passwords, iCloud content, and more can be sent to the threat actor through this attack. iMessage data, email, WhatsApp data, Telegram data, and even cryptocurrency wallet credentials can also be stolenl.
Another concerning aspect of DarkSword is the cleanup of the cybercrime scene afterward. There is none. Hackers who have utilized DarkSword have left the code behind for anyone to access and deploy. In addition, it appears these hackers aren’t concerned with its discovery, resulting in the closure of the exploit, meaning they are likely confident new and similar attacks can be replicated with new tools.
Google’s report details some specific attacks carried out by DarkSword. For example, one early incident in November targeted Saudi Arabian users through a Snapchat-themed website called Snapshare. The website forwarded visitors to a legitimate Snapchat site while it infected the device in order to hide the nefarious activity.
In more recent attacks carried out just this month, a hacker group with suspected ties to the Russian government, known as UNC6353, deployed DarkSword in order to target iPhone users in Ukraine. The group was somehow able to compromise legitimate Ukrainian news sites and official government websites to target its victims.
It is believed this threat actor is also behind a previously uncovered yet similar exploit known as Coruna earlier this year. That hacking toolkit targeted even older iOS devices that were still using iOS versions 13 through 17.
