Apple has released a patch to stop a mysterious piece of spyware that’s been infecting iPhones in Russia and at the antivirus provider Kaspersky.
On Wednesday, Cupertino issued the patches for iOS, macOS iPadOS and watchOS, three weeks after Kaspersky disclosed it had discovered the so-called “Triangulation" spyware on several dozen iPhones belonging to company employees.
The spyware is raising alarms because it can infect an iPhone through malicious messages sent over iMessage. No user interaction is required.
Apple’s patch notes also suggest the spyware is particularly powerful. By exploiting a flaw in the company’s software, Cupertino says “an app may be able to execute arbitrary code with kernel privileges,” allowing it to tamper with the core part of the operating system. In response, Apple has issued patches for iPhone models going back to the 6s.
On the same day, Kaspersky also released more details about its investigation into the Triangulation spyware, which differs significantly from other spyware tied to commercial surveillance companies, such as Israel’s NSO Group.
Kaspersky's report also confirmed that Triangulation can exploit the iOS kernel to gain root privileges. It’ll then deploy a spyware implant that only operates within the device’s RAM memory, “meaning that all traces of the implant are lost when the device gets rebooted.”
Hence, the operator of the spyware has to infect the phone again to maintain a presence on the device if it ever reboots. But this also means it can be hard for security researchers to uncover the spyware. “In case no reboot occurs, the implant uninstalls itself after 30 days, unless this period is extended by the attackers,” Kaspersky added.
The company noted it “took about half a year” before it could gather enough evidence on how the spyware largely worked. Kaspersky found the spyware implant can receive orders from a primary and then fallback command-and-control server.s The implant has also been designed with at least 24 commands, including the ability to steal files from the device, monitor the user’s location, pilfer passwords and run other malicious programs.
In addition, the company uncovered technical details that suggest Triangulation could have also been used to target macOS devices. However, Kaspersky’s report doesn’t mention who might have created the spyware, although the investigation continues.
Still, this hasn’t stopped the Russian government from claiming the spyware comes from the US. The Kremlin has gone as far to even accuse Apple of colluding with US intelligence services on developing Triangulation. “It has been determined that several thousand devices of this brand have been infected,” Russia's Federal Security Service (FSB) announced earlier this month when Kaspersky initially alerted the public about the Triangulation spyware.
However, Apple has denied any involvement, telling Reuters that the company “never worked with any government to insert a backdoor into any Apple product and never will.”
In the meantime, users can update their iPhones by going to Settings > General > Software Update. The device can also update automatically if you’ve toggled on automatic updates.