Apple is encouraging people to update their iPhones because of new cybersecurity research that suggests Russian intelligence, Chinese hackers and other hackers have been using tools dubbed DarkSword and Coruna to take over phones running older versions of the iOS operating system.
The tools, called exploit kits, were detailed this month by Google and cybersecurity companies iVerify and Lookout. Both can give hackers deep remote access to victims’ phones and let them search their content.
On Wednesday, iVerify wrote in a press release: “DarkSword appears to be a surveillance and intelligence-gathering tool, gathering data that includes Wi-Fi passwords, text messages, call history, root location history, browser history, SIM card and mobile data as well as health information, notes and calendar.”
Apple spokeswoman Sarah O’Rourke said both tools can only work against devices running older versions of Apple’s operating system, reinforcing the need for people to use updates regularly.
“Keeping software up-to-date is still the single most important thing users can do to maintain maximum security for their Apple devices,” he said.
The news has caused concern among industry experts that although Apple enjoys a reputation for producing devices that are more secure from hackers than other brands, versions running on older software may still be vulnerable to takeovers.
Research from three companies on campaigns shows several groups of people targeted by iPhone hacking tools: Ukrainians targeted by Russian intelligence; Chinese cryptocurrency users; and people from Saudi Arabia, Turkey and Malaysia.
While none of the companies have reported evidence that Americans have been targeted, the tools could easily be used to hack anyone with outdated iOS, said John Scott-Railton, a senior researcher at Citizen Lab, a cybersecurity lab funded by the University of Toronto.
“The barrier to entry for a widespread mobile attack has been completely lowered,” Scott-Railton told NBC News. “It is clear that this problem will only grow.”
“What scares ordinary users is that they can’t see this attack,” he said.
Apple’s latest operating system, iOS 26, was released in September and protects users from both hacking campaigns, according to the company. Last week, Apple made the unusual move of releasing a special update for iPhone users with older devices that can’t fully handle the upgrade to iOS 26, mainly to prevent hackers from using hacking tools.
Research into the campaigns shows that both infect phones with a so-called watering hole attack, where a website is designed or hacked to inject code that uses the way phones process web traffic and can automatically infect vulnerable phones that visit it.
Hacking an iPhone is still a huge technical challenge, and both campaigns rely on a complex series of hacks working together to take over the phone.
Coruna has a wonderful history. Peter Williams, a former cyber chief at military defense contractor L3Harris, pleaded guilty last year to selling his company’s hacking tools, including Coruna, to a Russian vendor.
That tool was used last summer by hackers linked to Russian intelligence groups, Google found, targeting Ukrainians, according to iVerify.
It is not clear how, but in December, Chinese hackers had found a tool and started to create “a very large set of Chinese websites that are mainly related to finance,” said Google, with the aim of stealing cryptocurrency.
Bitcoin and other cryptocurrencies are particularly attractive to cybercriminals, as they can be sent quickly to a criminal site, often without the victim having the means to retrieve them.
The origin of the second tool, nicknamed DarkSword, is unknown, but it was also used by the same Russian intelligence service, Google said. Its use is widespread and seems to have expanded into several related versions affecting the people of Ukraine, Malaysia, Saudi Arabia and Turkey.
Many companies that sell hacking tools to governments have adopted the tool, Google said. Since November, the company has “seen numerous commercial vendors and suspected government-sponsored actors using DarkSword in separate campaigns,” Google said.
Rocky Cole, CEO of iVerify, said these campaigns should instill the idea that having an iPhone alone is enough to protect against hackers.
“There’s been this perception in the security community that iPhone attacks are like mythical creatures, they’re rare,” he said.
“No, we don’t really have the tools to see these things. I have a feeling it’s a lot more common than people think.”
