Google and iVerify reveal government-grade iPhone exploit kit spreading to hackers
Source: 9to5Mac
Under the hood
As spotted by Wired, a post published today on the Google Cloud Blog reveals details of an exploit kit called Coruna, which leverages five full iOS exploit chains and 23 vulnerabilities to compromise unpatched iPhones running iOS 13 through iOS 17.2.1.
At a very high level, the Coruna exploit kit works by chaining multiple vulnerabilities to progressively breach the iPhone’s security layers. After visiting a malicious site that uses hidden JavaScript to check the device model, system version, and other security settings, the attack can take multiple routes to:
- Bypass core iOS protections
- Gain high‑level privileges
- Install malware that can collect data or download additional modules
Google notes that the exploit checks whether the device has Lockdown Mode enabled and aborts the process if so, or if the user is in private browsing mode.
To be clear, the exploit kit targets iPhones running older iOS versions and is ineffective against the latest system versions. This is one of the many reasons why it’s important to keep devices updated.
For a deeper look into how Coruna works, and the full list of vulnerabilities (including CVEs, when available) that target each iOS release between iOS 13 and iOS 17.2.1, see the full post on the Google Cloud Blog.
Behind the scenes
Alongside Google’s post, mobile security company iVerify also published a report on Coruna, offering additional context about its possible origins.
Based on its reverse‑engineering of the framework, iVerify says Coruna appears to have been built on the same foundations as known US government hacking tools.
This is the first observed mass exploitation of mobile phones, including iOS, by a criminal group using tools likely built by a nation‑state.
Despite Coruna’s apparent shared roots with other US‑government‑linked hacking tools, it appears to have leaked and been deployed in campaigns by Russian spies and China‑based cybercriminals.
Reports from last year showed that spyware had moved beyond expected targets such as journalists and dissidents to hit executives in technology and financial services, political campaigns, and other people of influence or with privileged access. The more widespread the use, the more certain a leak will occur.
In observed campaigns, iVerify and Google say the exploit kit was delivered via “watering hole” attacks on compromised websites, including fake cryptocurrency services designed to lure victims to malicious pages. The final payload appears financially motivated, with modules designed to extract cryptocurrency wallet data and recovery phrases from infected devices.
To read iVerify’s full report, follow this link.