Kaspersky Says New Zero-Day Malware Hit iPhones—Including Its Own

Kaspersky says that the malware it discovered cannot persist on a device once it is rebooted, but the researchers say they saw evidence of reinfection in some cases. The exact nature of the vulnerabilities used in the exploit chain remains unclear, though Kaspersky says that one of the flaws was likely the kernel extension vulnerability CVE-2022-46690 that Apple patched in December. 

Zero-click vulnerabilities can exist on any platform, but in recent years, attackers and spyware vendors have focused on finding these flaws in Apple’s iOS, often in iMessage, and exploiting them to launch targeted attacks on iPhones. This is partly because services like iMessage present unusually fertile ground within iOS for discovering vulnerabilities, but also because attacks on iOS devices with this approach are often very difficult for victims to detect.

“Kaspersky, arguably one of the best exploit detection companies in the world, was potentially hacked via an iOS zero-day for five years, and it was only discovered now,” says longtime macOS and iOS security researcher Patrick Wardle. “That shows how ridiculously hard it is to detect these exploits and attacks.”

In their report, the Kaspersky researchers point out that one of the reasons for this difficulty is iOS’s locked-down design, which makes it very tough to inspect the operating system’s activity.

“The security of iOS, once breached, makes it really challenging to detect these attacks,” says Wardle, who was formerly an NSA staffer. At the same time, he adds that attackers would need to assume any brazen campaign to target Kaspersky would eventually be discovered. “In my opinion, this would be sloppy for an NSA attack,” he says. “But it shows that either hacking Kaspersky was incredibly valuable for the attacker or that whoever this was likely has other iOS zero days as well. If you only have one exploit, you’re not going to risk your only iOS remote attack to hack Kaspersky.”

The NSA declined WIRED’s request for comment on either the FSB announcement or Kaspersky’s findings.

With the release of iOS 16 in September 2022, Apple introduced a special security setting for the mobile operating system known as…