At the end of last month, Google’s elite security analyst team Project Zero released a report on 14 different iPhone security flaws that were secretly exploited by hackers for at least two years. However, new information released by Apple and cybersecurity researchers suggests that Google lied about some parts of the iPhone breach.
CCN.com reported in August that the hackers used watering hole attacks against iPhone users and installed monitoring implants to the victims’ devices when they had visited websites infected by the attackers.
According to the Google researchers, the infected websites received thousands of visitors every week while the hackers managed to cover almost every version of Apple’s mobile operating system from iOS 10 to the latest version of iOS 12.
While Google stated that the hackers attacked iPhone users indiscriminately, RiskIQ Head of Threat Research Yonathan Klijnsma argued that the malicious code on the infected sites used filters, preventing it from running unless certain conditions were met.
Furthermore, a TechCrunch article earlier this month revealed that part of the malicious sites was targeting Uyghur Muslims and suggested that these websites were a part of a state-backed attack by China in an effort to crack down against the minority community.
In fact, cybersecurity firm Volexity published a recent report confirming the same, highlighting a similar hacker campaign but with the difference of targeting Android users instead of iOS users.
Klijnsma told ZDNet that RiskIQ’s Passive Total platform shows that during the attack launched against the Uyghurs on Android – from which he stated that it was in tune with the iPhone attacks – the payload used by the hackers was only triggered 166 times, indicating that it was anything but a global mass-exploitation campaign.
In an official statement published yesterday, Apple disputed Google’s claims that the attack lasted for at least two years, stating that the website breach was only operational for two months.
Furthermore, Apple confirmed that “fewer than a dozen” malicious websites were targeting Uyghur Muslims and argued that the attack was narrowly focused instead of being a “broad-based exploit of iPhones en masse.”
According to Apple, Google’s post “stoked fear” among iPhone users who were afraid that their devices had been compromised by the attack, accusing Google of creating the false impressions of a “mass exploitation” of iOS devices.
Taking into account all the reports and statements that go against Google as well as the broad terms used in Project Zero blog posts to describe the breach, it seems like Google was lying to us about the hacker attack in an attempt to spread FUD about one of its main competitors.
Disclaimer: The views expressed in this op-ed are solely those of the author and do not represent those of, nor should they be attributed to, CCN.com.
Last modified: January 10, 2020 2:54 PM UTC