What’s worse, the firm claims, is that this exploit has been existing for close to 10 years. According to an article published on April 22, 2020, by San Francisco-based firm ZecOps, the iPhone contains a severe flaw in its native iOS Mail app, which makes it rather vulnerable to hackers.
What’s more, Apple was not formerly aware of this glitch, making it extremely valuable to a diverse range of bad actors. ZecOps states that it entrusts “with high confidence that such vulnerabilities… are widely exploited in the wild in targeted attacks by an advanced threat operator(s).”
ZecOps is of the belief that a minimum of 6 high-profile targets fell prey as victims of this exploit, and this consists of “individuals from a Fortune 500 company based in North America. ZecOps declines to disclose the victim’s identities for security purposes and states that it was unable to obtain the malicious code as the hackers are believed to have remotely deleted the email messages.
Apple’s new threat contains sending an email to the victim’s mail application, which enables to trigger of the threat in the context of the iOS Mail app on iOS 13 or iOS 12 devices of Apple.” The threat draws 2 inter-related Apple’s iOS zero-day exploits.
At this juncture, though, some security researchers, including Jann Horn (one of Google’s Project Zero cybersecurity project members), are questioning this claim’s validity, since it does not seem that ZecOps has concrete public evidence of the exploits being used it feels comfortable sharing.
Nevertheless, what escalates the danger of this particular exploit, in theory, is the claim that it does not require the victim to visit a malware-infested website, or to download a file. Rather, all it needs to remotely execute code on an iOS device is for the Mail app to receive the email, and for its user to open this message.
It was a long and painful investigation but worth every minute of it. Thank you to all the amazing people at @ZecOps making this possible <3.
— Zuk (@ihackbanme) April 22, 2020
Further on, ZecOps says that it had reproduced the results of this hack in its lab, in the aftermath of being altered to last summer’s complaints of suspicious crashes on customers’ iPhones. It then went on to disclose these exploits last month to Apple, which ZecOps says already patched the vulnerability in the latest iOS beta release. The repairs are expected to arrive for the non-beta version of iOS in an update to all its users sometimes in the forthcoming weeks. Apple has reportedly declined to comment on these findings.
ZecOps states, “In order to mitigate these issues — one can utilize the most-recent beta available. However, if this is not possible, consider disabling the Mail application and use Gmail or Outlook, as these are not vulnerable.”