The malware was discovered when the company suspected that something was off about the activity originating from several iPhones owned by its employees. The iPhone cannot be inspected from the inside, so Kaspersky created offline backups of devices they thought were infected and found pieces of evidence of compromise.
How does it work?
Cybercriminals send an invisible iMessage to iPhone users with a malicious attachment. It doesn’t need the iPhone user to do anything and is enough on its own to take advantage of vulnerabilities in iOS to execute a code and install spyware. The phone then receives more instructions from the command and control center, including those that give the malware more privileges, enabling it to wreak more havoc.
The original message is deleted and so is the exploit in the attachment, so most victims will likely never know that their phone was infected.
No easy way to remove spyware
One thing that can point to the presence of the spyware is inability to update iOS. Since iOS updates are blocked, it’s impossible at the moment to remove the spyware without losing user data. The only way to get rid of it is by resetting the affected iPhone to the factory settings and downloading the latest version of iOS, which might not be possible as some older iPhones have been cut off from OS updates. If only the spyware is deleted, the devices will be re-infected.
The campaign has been active since 2019 and is still ongoing. It seems that only the iPhones running iOS 15.7 or older versions of iOS are vulnerable.
In other words, as I’ve often said, users are given the illusion of security associated with the complete opacity of the system. What actually happens in iOS is unknown to cybersecurity experts, and the absence of news about attacks in no way indicates their being impossible – as we’ve just seen.” – Eugene Kaspersky, CEO Kaspersky
