Targeted Attacks on iPhones: New Details About Spyware

Another spyware has been used to launch targeted attacks on Apple devices. Similar to the “Pegasus” spyware usually used by state representatives, the monitoring software called “TriangleDB” comes discreetly via iMessage to the iPhone and works there only in main memory: restarting the device not only removes the spyware, but also removes all traces , such as the security company announced by Kaspersky.

advertisement

Otherwise, to make analysis and detection more difficult, the monitoring software will be automatically deleted after 30 days, but it can also be used for a longer period. Then the infection occurs again via iMessage.

Kernel vulnerability brings root privileges

According to the analysis, the attackers can remotely control the spyware, which gains root rights via a vulnerability in the kernel, thus practically taking over the entire device, with more than 20 commands. This includes the option to drill down into the file system and extract, create, and edit files. The malware is also capable of reading the victim’s access data stored in the keychain and tracking their location, as well as running other modules to monitor changes to files, for example. Location tracking usually only works while the screen is off. Kaspersky explains – It is meant not to make the user suspicious of the little compass arrow that the operating system displays. An attacker can also use this permanently.

Upon examining the spyware, they find a specific “macOS only” feature that is not used in the iOS version. Security researchers say this indicates that the malware is also intended to be used against Macs. Kaspersky plans to analyze the spyware further and has invited other security companies to share its findings.

It appears that the vulnerability in iOS 16 has been patched

As an antidote, Kaspersky only advises users to keep the operating system and applications updated. The Russian software company first drew attention to these “Operation Triangulation” spyware attacks in early June — exactly the same day that Russian domestic intelligence accused Apple of aiding the NSA with iOS vulnerabilities in espionage. Apple rejected the unsupported accusation in no uncertain terms.

advertisement

At the time, it was said that the latest vulnerable iOS version was iOS 15.7, and Apple patched the vulnerability in February 2023. However, at that time, the manufacturer only released a patch for iOS 16. Apple now allows two iOS systems to be locked. And macOS does even better with a shutdown mode specifically designed to protect against this type of spyware.

(lbe)