Last week’s significant hack of iPhones also targeted Android smartphones and Windows computers, it has been reported.
Google dropped hints about nation-state involvement in its announcement, but a separate report that Windows and Android devices were also on the target list offers a new twist to the story.
If correct, the inclusion of Windows and Android shouldn’t be surprising – it makes sense when targeting specific groups of people through a small group of websites to target as many computing devices as possible so as not to miss anyone.
Of course, none of this can currently be verified. For now, these are simply unnamed sources talking to a few journalists, offering information that might never be confirmed.
Indeed, the fact that it is being taken seriously at all is partly down to the fact that the companies involved – Google, Microsoft, Apple – seem unwilling to deny any of it.
However, another way of understanding this story is to point out that the who and why is less important than the how.
Underscoring this is that Google’s original report mentions that unintended victims were also caught up in the attacks, which implies that anyone could be a victim of a future campaign.
Victims were reportedly infected with spyware by persuading them to open a malicious link – a generic but effective tactic.
Reportedly, the infected domains were indexed by Google search (perfectly normal if the domain is not known to be malevolent), which prompted the FBI to ask the company to delist them.
The first issue is what has been done for the victims, both those targeted and those infected as collateral damage.
The campaign was discovered early in 2019 and the iPhone vulnerabilities involved are known to have been fixed since then and Apple’s process for deploying patches is well oiled. If Android or Windows devices were involved though, the patching timeline becomes less certain because updates might be optional and slow to appear.
Flaws for sale
The risk is that when nation-state groups uncover flaws worth exploiting, and don’t report them, it creates breathing space for professional cybercriminals to discover them too (or, if they can’t, steal them).
Adding to this is the problem of software companies that write spyware for a living selling their tools to intelligence services, countries and, controversially, commercial organisations. At times it can seem as if the two types of attack – targeted nation-state malware and commercial spyware – are merging into one industry.
There’s no evidence that commercial spyware was connected to the latest iPhone campaign, but the sector’s growth may have caused the price attached to zero-day vulnerabilities to rise.
Companies like Google, Apple and Microsoft operate bug bounty programs in part to compete with the illicit market in vulnerabilities, and Apple recently raised its top bug bounty to $1 million.
This market can be contained but not easily stopped. When hackers can rely on a plentiful tool chest full of flaws, we all have something to lose, no matter who is behind an attack.