Security researchers at Google uncovered a "sustained" - at least two years - and indiscriminate campaign to hack iPhones through certain websites, allowing attackers to steal messages and files and track location data every 60 seconds.
In a deep-dive blog post published Thursday evening, Ian Beer, a security expert on Google's Project Zero, detailed how hackers had been using malicious websites to exploit an iPhone software vulnerability. The post did not name the websites or say how many people were victimized.
"There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant," Beer wrote. "We estimate that these sites receive thousands of visitors per week."
The implant also collected password keychains, messages, address books and other personal information from users' apps, including WhatsApp, Telegram and Gmail.
This type of widespread yet random attack is rare, and it may be one of the biggest attacks ever on iPhone users. But there was a limit to the malware's power - it was erased if the iPhone was restarted, freeing users unless they returned to one of the malicious websites.
Apple did not immediately respond to a request for comment from the Post.
As Google's external security team, Project Zero researchers are dispatched to find all manner of weaknesses in popular technology. Since it was created in July 2014, the team has found and reported nearly 1,600 hardware and software vulnerabilities. But Project Zero has taken heat for its tough tactics: After reporting a bug, the team gives the vendor 90 days to fix it before Project Zero discloses the details publicly. (In some cases, Google will offer an additional 14-day grace period.)
Google contends that the hard deadline produces the best results. Earlier this month, Project Zero said that about 95.8% of the bugs it finds and reports are patched before the 90-day deadline.
But when Project Zero informed Apple of the breach on Feb. 1, it gave it seven days to fix it, citing the need for urgency. The iPhone maker released iOS 12.1.4 on Feb. 7.
Apple is notoriously guarded with its products, shielding them from even well-meaning hackers looking to probe iOS vulnerabilities. But the company gradually opened its products up to researchers, and recently announced plans to release a hacker-friendly phone to certain experts in the interest of uncovering vulnerabilities more quickly.
And at the Black Hat security conference in Las Vegas earlier this month, Apple's head of security engineering said the company will pay as much as $1.5 million for a "bug bounty" to any researcher who discovers iOS attack techniques and discreetly reports them to Apple.
In the blog post, Beer wrote that he didn't want to try to put a price tag on the attacks, but said that "$1 million, $2 million, or $20 million" seemed low given the attackers' ability to "monitor the private activities of entire populations in real time."
And while this operation ultimately failed as it was discovered by Project Zero, Beer made it clear that there are almost certainly more lurking and preying on people.
"All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them."