Google, Security Firms Warn of New iPhone Exploit Targeting Older iOS Versions

Cybersecurity researchers have said they discovered a new iPhone-hacking technique that targets devices running older versions of Apple’s mobile operating system, highlighting the risk of not keeping the software up to date.

Researchers at Google Threat Intelligence Group, along with mobile security firms iVerify and Lookout, published their findings on March 18 describing an exploit framework they call “DarkSword.” The tool was used in attacks delivered through compromised websites and was designed to infect iPhones running iOS 18.4 through 18.7, with some observed campaigns specifically targeting versions 18.4 through 18.6.2.

According to Google, DarkSword chains together “six different vulnerabilities” to compromise iPhone’s Safari browser and ultimately gain deep access to a device. Once successful, the tool can steal a wide range of data, including text messages, contacts, iCloud files, photos, cryptocurrency wallets, call logs, location history, and more.

Lookout described DarkSword as using a “hit-and-run” approach, allowing attackers to quickly extract valuable information and disappear before many traditional detection tools can respond. Google said the exploit chain was used by multiple threat actors, including a suspected Russian espionage cluster targeting Ukrainian users.

The scope of the risk could be substantial. According to iVerify’s estimate, as many as 270 million iPhones worldwide may still be running exposed iOS 18 versions, though the exact number of devices that remain vulnerable in practice depends on patch adoption and the specific exploit chain involved.

“We urge everyone to update to the latest available iOS version that contains fixes for all vulnerabilities used in this exploit,” iVerify said. The most up-to-date version at the time of this publication is 26.3.1 for modern iPhones and 18.7.6 for legacy models such as iPhone XS and iPhone XR.

The new findings follow earlier disclosures about another advanced iPhone exploit kit known as “Coruna.” Google previously described Coruna as a highly sophisticated toolkit capable of silently compromising iPhones when users open malicious links, and said it relied on 23 distinct vulnerabilities covering versions from iOS 13 to iOS 17.2.1.

Researchers said both DarkSword and Coruna were used in campaigns linked to suspected Russian espionage targeting Ukrainian users. In those operations, the attackers embedded malicious code into components of otherwise legitimate Ukrainian websites, including online news outlets and a government agency site, in order to harvest data from visitors’ phones.

DarkSword has also been seen in attacks targeting victims in Saudi Arabia, Turkey, and Malaysia, according to researchers.

Separately, another use of Coruna appeared to be financially motivated, with China-based hackers using it on Chinese-language cryptocurrency and gambling sites to deliver malware designed to steal users’ digital assets.

A spokesperson for Apple confirmed to The Epoch Times that its recent security updates protect users against both Coruna and DarkSword. The company also said enabling Lockdown Mode—its highest-security setting for users at elevated risk, such as journalists and government officials—would help block these attacks.

“Keeping software up to date remains the single most important thing users can do to maintain the high security of their Apple devices,” the spokesperson said.