Earlier this year, Apple issued fixes as part of the iOS 12.1.4 update for a few security flaws that allowed an app to execute code with kernel privileges, among other vulnerabilities. There was no explanation at the time as to how the issues came to be, but Google's Project Zero team is out today with some details about those security flaws.
According to a blog post by Project Zero's Ian Beer, Google's Threat Analysis Group (TAG) discovered some "sustained effort" to launch attacks against iPhone users through hacked websites. Using an exploit server, these compromised sites would then drop a malicious implant to iPhone devices when visited. Once installed, the malware would collect private information including contacts, photos, and other data of the owner (via BBC).
Beer noted that there were thousands of visitors to these websites on a weekly basis. The attacks were limited only to certain communities and lasted for at least two years, with no target discrimination, according to Beer.
Based on five distinct exploit chains found by Google, it was revealed that the security flaws affected iOS 10 through to iOS 12. Beer went on to explain:
"Working with TAG, we discovered exploits for a total of fourteen vulnerabilities across the five exploit chains: seven for the iPhone’s web browser, five for the kernel and two separate sandbox escapes. Initial analysis indicated that at least one of the privilege escalation chains was still 0-day and unpatched at the time of discovery (CVE-2019-7287 & CVE-2019-7286)."
There's no word, however, on who could be behind these attacks. Like the usual, it is recommended to update to the latest version of iOS.