"Earlier this year Google's Threat Analysis Group (TAG) discovered a small collection of hacked websites," Project Zero's Ian Beer said Thursday. "The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day. There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week."
Researchers ultimately discovered an estimated 14 total vulnerabilities, with CNN reporting that half of those vulnerabilities had been linked to the iPhone web browser. Apple was notified in February, a move which was followed by a quick software update.
The hack is further described by Beer as an apparent "sustained effort to hack the users of iPhones in certain communities over a period of at least two years." Beer also noted this particular attempt marked "a failure case" for those responsible, but cautioned that there are "almost certainly others" that have not been uncovered.
As a recommendation, Beer offered that everyone should be aware of the fact "mass exploitation still exists," a reality that means still treating iPhones or other smart devices as essential to modern life while remaining conscious of the potential impact on that life should a security compromise prove successful.