Researchers say DarkSword can hack an iPhone through Safari after a single visit to a compromised website.
DarkSword used Safari, GPU, and kernel exploits to move from a website visit to full iPhone compromise
Photo Credit: Unsplash/Norwood Themes
A newly documented iPhone spyware tool is said to compromise a device simply through a visit to a hacked website. As per security researchers, the toolkit, dubbed DarkSword, was used in campaigns targeting people in Ukraine and relies on a chain of exploits that lets attackers break into Safari, escape its security layers, gain deeper access to iOS, steal data, and then remove themselves within minutes. The spyware is said to only target iPhones running specific versions of iOS 18. Apple is said to have patched the vulnerabilities.
Google Threat Intelligence Group (GTIG), in partnership with Lookout and iVerify, identified a new iOS full-chain exploit which leveraged multiple zero-day (undiscovered) vulnerabilities to completely compromise devices. Notably, a full-chain exploit means the toolkit links together several bugs to move from a web page to full control of the phone.
In this case, the attack starts in JavaScriptCore, the engine used by Safari and WebKit to run website code. From there, the attackers break out of Safari's sandbox, a security boundary meant to isolate risky web content. It first infects the GPU process and then moves into a more privileged iOS system service called mediaplaybackd. Finally, the chain uses kernel flaws to raise privileges even further and deploy the spyware payload.
Google said the chain used multiple vulnerabilities across Apple's software stack, including memory corruption bugs in JavaScriptCore, a flaw in ANGLE used by Safari's graphics handling, and kernel issues in XNU, the core of iOS. Some of those flaws were exploited as zero-days, meaning attackers used them before fixes were publicly available. The researchers say the relevant fixes were shipped by Apple across iOS 18.6, 18.7.2, 18.7.3, 26.1, 26.2, and 26.3, depending on the bug.
The attack is described as a watering hole campaign. That means attackers compromised websites that their targets were likely to visit, then used those sites to deliver the exploit. Google claimed a suspected Russian espionage group, UNC6353, used DarkSword in watering hole attacks on Ukrainian websites, while TechCrunch reported that the malware was designed to infect anyone who visited certain Ukrainian sites from within the country.
As per the publication, DarkSword was built to steal passwords, photos, browser history, and messages from apps, including WhatsApp and Telegram, along with SMS texts. Researchers also found code aimed at cryptocurrency wallet apps; however, it cannot be said for sure that the main objective behind spreading the spyware was financial gain.
Unlike spyware built for long-term surveillance, DarkSword appears to be designed for a quick smash-and-grab operation. Researchers said its dwell time on a device was likely measured in minutes, just long enough to collect and send data out before disappearing. GTIG also shared code snippets showing efforts to delete crash logs, which would make the intrusion harder to spot.
While it is not easy to block the spyware's attempt to break into a device after it has already been infected, users can minimise the chances of infection by avoiding unfamiliar or high-risk websites, especially in conflict-related or politically sensitive contexts. As per GTIG, the hacker group behind the spyware has also deployed the exploit chain in Saudi Arabia, Turkey, and Malaysia. The total number of infected devices is difficult to gauge.
Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.