Researchers uncover iPhone spyware capable of penetrating millions of devices
· CNA · JoinRead a summary of this article on FAST.
Get bite-sized news via a new
cards interface. Give it a try.
Click here to return to FAST Tap here to return to FAST
FAST
March 18 : A powerful software exploit capable of penetrating and stealing information from potentially hundreds of millions of Apple iPhones was planted on dozens of websites in Ukraine in recent weeks, researchers said on Wednesday.
The discovery marks the second time this month that researchers have found spyware targeting iPhones and other Apple devices. Together, the two hacking tools show that the market for sophisticated malware capable of stealing data and cryptocurrency wallet information is flourishing, researchers said.
Researchers with cyber firm Lookout, mobile security firm iVerify and Alphabet's Google published coordinated analyses of the malware they dubbed “Darksword.” On March 3, Google and iVerify revealed a separate powerful iPhone spyware called "Coruna." Researchers found Darksword hosted on the same servers.
“There’s now a verified pipeline of recent exploits ... that have ended up in the hands of potentially criminal entities with a financial focus,” said Justin Albrecht, principal researcher with Lookout.
CNA Games
Guess Word
Crack the word, one row at a time
Buzzword
Create words using the given letters
Mini Sudoku
Tiny puzzle, mighty brain teaser
Mini Crossword
Small grid, big challenge
Word Search
Spot as many words as you can
Show More
Show Less
GOOGLE FLAGS WIDE-RANGING HACKING CAMPAIGNS
Google said its researchers observed multiple commercial vendors and suspected state-linked hackers using Darksword in distinct campaigns against targets in Saudi Arabia, Turkey, Malaysia and Ukraine.
The campaigns in Malaysia and Turkey were associated with Turkish commercial surveillance vendor PARS Defense, Google said. PARS Defense did not respond to a request for comment.
According to iVerify and Lookout, researchers discovered the malware being delivered to iPhone users running iOS versions 18.4 to 18.6.2 who visited one of dozens of Ukrainian websites. Apple released those versions between March and August 2025.
It's not clear how many iPhones are vulnerable to Darksword attacks, the researchers said. Apple has released multiple fixes for the underlying bugs attackers used to make Darksword. Nevertheless, many people don't install iPhone updates, and an estimated 220 million to 270 million iPhones still run exposed iOS versions, according to iVerify and Lookout, which based the figures on public estimates. Google did not share its findings ahead of Wednesday’s report.
An Apple spokesperson said the exploits targeted "out-of-date software," and that the underlying vulnerabilities have been addressed across multiple updates over the last several years for users running the latest versions of their devices' operating systems.
"Keeping software up to date remains the single most important thing users can do to maintain the high security of their Apple devices," the spokesperson said.
Additionally, all malicious domains identified by Google are blocked by Apple Safe Browsing in the Safari web browser to prevent further exploitation, the spokesperson said.
The discovery of two distinct powerful iOS exploits this month suggests a robust ecosystem for tools that were previously limited primarily to state-level intelligence operations, said Rocky Cole, co-founder and COO of iVerify.
Researchers said they discovered the vulnerabilities because of sloppy security mistakes not common in state-linked iPhone hacking.
“The fact that they don’t care if it gets burned, and that they’re using them in mass attacks with poor (operational security), that says a lot about how much they value these tools,” Cole said. “They’re not overly precious about them being exposed."
Darksword was found on the internet servers that suspected Russian operators of Coruna used, researchers with iVerify and Lookout said in findings and interviews ahead of Wednesday’s release.
Newsletter
Week in Review
Subscribe to our Chief Editor’s Week in Review
Our chief editor shares analysis and picks of the week's biggest news every Saturday.
Sign up for our newsletters
Get our pick of top stories and thought-provoking articles in your inbox
Get the CNA app
Stay updated with notifications for breaking news and our best stories
Get WhatsApp alerts
Join our channel for the top reads for the day on your preferred chat app