Google researchers, who have discovered this very sophisticated virus that infects devices from a simple Web site, hover over many gray areas by refusing to give details.
It was enough to visit, from his iPhone, an infected website. In a few seconds, all the secrets it contained were stale, copied by a computer virus without noticing anything. Messages, photos, location, not much was out of this malware discovered by Google's security researchers. They revealed the existence Thursday, August 29, surprising many experts in the field.
Their discovery is indeed confusing. First, the virus implements 14 vulnerabilities in the software that equips Apple's mobile phones and tablets, yet considered to be well secured. According to Google researchers, the virus has been active for more than two years, starting in 2016, and was functioning until February 7, when Apple corrected these defects after being warned by the researchers. The virus was perfectly effective, including the latest iPhone models, equipped with the latest version of iOS. If it is enough today to update his phone, it was impossible at the time to protect himself.
Infected by simply visiting a website
Especially since the vector of infection was particularly stealthy: it was enough for an iPhone user to go to a website so that, without further intervention on his part, the virus enters his phone. Once inside, he was immediately interested in the archive of messages sent and received by the user through the main messaging applications, such as WhatsApp, Telegram, Gmail or iMessage (the Apple SMS system).
Most of these applications encrypt exchanges, making them impossible to read if they are intercepted. But the virus was able to circumvent this difficulty, since it attacked the messages stored on the phone, where they lack this protection. The malicious program also had access to the real-time geolocation of the infected user, his photographs as well as his phone book. Finally, hackers could recover passwords and IDs stored in the phone (which allow for example to open his e-mail account without having to enter each time his password).
The virus could be eradicated simply by restarting his phone. Still, he had to be aware of being infected. And even this precaution was imperfect: since the hackers had previously stolen the password of the owner of the phone, it was possible for them to continue to recover some of his messages and data.
Many gray areas
Beyond these few certainties remain many areas of shadows about which Google researchers, who say they have inspected "Almost every byte" of the malicious program, are remarkably discreet and unclear. Google refused to answer our questions.
How many victims did this software do? They do not specify, but Ian Beer, the author of the work on the virus, evokes "Whole populations". He also writes that the sites distributing the malicious program "Receive thousands of visits a week". The number of victims would be very important. But Google has chosen not to reproduce the names of these sites, nor their geographical location or their theme. All of which would make it possible to better understand the extent of the infection, to know more about the target population and therefore, indirectly, to have indications of who is responsible for this very sophisticated malware program.
The researcher is content to write that the pirates would "A group is doing a lot of harm to hack iPhone users in some communities". Further on, with selected words and without being sure that he makes direct reference to the virus they discovered, he explains that for "To be targeted, it may be enough to be born in a certain region or to be part of a certain ethnic group". Google has also kept secret the IP address – the equivalent of the mailing address – to which were redirected the information removed from the victims, crucial information to try to trace the identity of those responsible.
A state presumably to maneuver
One thing is certain about these: they have big means, suggesting the involvement of a state. Some of the flaws used by hackers are Zero day ("Zero days"). This term refers to defects unknown to the software developer, which can not correct them. They are rare and very effective. Regarding iOS, they are often acquired at the cost of intense research or against a very large sum of money. In both cases, the entity that designed this virus has significant resources. For Ian Beer, of Google, even $ 20 million is an amount " low " given the capabilities of the software and the very broad reach of its distribution.
However, some practices of the attackers contrast with these important means. First, the presence of the IP address registered without protection in the virus code. Since this type of information can often be traced back to them, attackers very often take care to hide it. Not here. Then the fact that the virus does not resist a phone reboot. Astonishing, given the high technical level needed to identify and use flaws to enter the phone. Finally, and most importantly, the data extracted from the phone was sent to the server controlling the virus over the Internet without encryption, vulnerable to any interception. So many elements that disturb the experts who have looked at the find of Google.