Suspected US Government iPhone-Hacking Toolkit now in the Hands of Criminals

A powerful, possible US government iPhone hacking toolkit

has now ended up in the hands of Russian spies

and criminal hackers.

It's infected tens of thousands of phones at minimum,

and it's still likely being used against new victims.

Security researchers at Google on Tuesday released a report

describing what they're calling Coruna,

a highly sophisticated iPhone hacking toolkit

that includes five complete hacking techniques.

Each of them is capable of bypassing all the defenses

of an iPhone and installing malware on an iOS device

when it simply visits a website

containing the exploitation code.

This is the first time an iPhone hacking technique

has ever been used so indiscriminately

in a criminal hacking campaign.

So, which devices are at risk?

Well, Google notes that Apple patched vulnerabilities

used by Caruna in the latest version of iOS, iOS 26.

In fact, the exploitation techniques are only confirmed

to work against iOS 13 through 17.2.1,

so make sure your iOS devices are updated.

Coruna targets vulnerabilities in Apple's web kit framework

for browsers, so Safari users on those older versions

of iOS would be vulnerable,

but there's no confirmed techniques in the toolkit

for targeting Chrome users.

Google also notes that Coruna checks if an iOS device

has Apple's most stringent security setting

known as Lockdown Mode enabled,

and it doesn't attempt to hack it, if so.

In total, Coruna takes advantage

of 23 distinct vulnerabilities in iOS.

That's a huge rare collection of hacking components,

and it suggests Coruna was created by a well-resourced

and likely state-sponsored group of hackers.

In fact, according to mobile security firm, iVerify,

it appears to have been written by English-speaking coders

and shares some suspicious code similarities

to a hacking tool known as Triangulation

that the Russian government attributed in 2023

to the US government.

Google has said only that the toolkit was first used

by a customer of a surveillance vendor.

From there, however, Coruna appears to have somehow ended up

in the hands of Russian spies

who used it to target Ukrainians.

Then most recently, it's been used to infect

Chinese language websites to steal cryptocurrency

from victims, as well as emails and photos.

If this rogue tool was originally created by a contractor

for the American government, as iVerify has suggested,

it raises serious concerns about the security

of our mobile devices in a world where highly sophisticated

hacking tools created for US surveillance agencies

can leak to adversaries.

But regardless of Coruna's origin,

Google warns that it now exists in the wild,

and it could still be adopted or adapted by any hacker group

seeking to target iPhone users.

Read more about Coruna at www.wire.com.