Novel iPhone Spyware ‘DarkSword’ Targets Millions, Signaling Escalating Mobile Security Threats
A sophisticated new spyware, dubbed “DarkSword,” is actively targeting iPhone users, raising serious concerns about mobile security. Discovered by researchers at Lookout, iVerify, and Google, the exploit leverages compromised Ukrainian websites to deliver malicious code to devices running iOS versions 18.4 to 18.6.2.
Rapid Data Extraction and Stealthy Operation
DarkSword operates with alarming efficiency. Once a device is compromised, the spyware rapidly extracts sensitive data – including messages, emails, location history, Wi-Fi passwords, call logs, and even health data – within minutes. Crucially, it employs a “hit-and-run” technique, minimizing its footprint and making detection exceptionally difficult. The malware is written entirely in JavaScript.
Researchers note the exploit bypasses iPhone security defenses using Safari and a graphic feature called WebGPU. After gaining access, data is exfiltrated quickly, leaving almost no trace of the attack.
Widespread Vulnerability: Up to 270 Million Devices at Risk
The potential scale of the threat is significant. IVerify estimates that approximately 14% of devices globally – over 221 million – are running potentially vulnerable iOS versions. The total number of at-risk devices could reach 270 million if older or other unpatched iOS versions as well contain similar vulnerabilities.
Attribution and Geopolitical Implications
The threat is believed to be linked to a threat actor known as UNC6353, previously identified by Google as having Russian affiliations. Evidence suggests this group, along with other state-sponsored hackers, has deployed DarkSword in countries including Saudi Arabia, Turkey, Malaysia, and Ukraine.
In Ukraine, UNC6353 compromised several websites, infecting visitors with the spyware. This highlights the increasing use of watering hole attacks – where attackers compromise legitimate websites to target specific user groups – as a means of delivering sophisticated malware.
DarkSword vs. Coruna: A Growing Trend
DarkSword is the second major iPhone spyware discovered this month, following the revelation of “Coruna” on March 3rd. Both exploits share similarities, including targeting Ukrainian users and being attributed to the same threat actor. This suggests a growing market for advanced mobile exploits, potentially accessible to both state-sponsored actors and financially motivated criminals.
Financial Motivation and Crypto Targeting
While Coruna appeared primarily focused on cryptocurrency theft, DarkSword exhibits a broader surveillance and intelligence-gathering capability. However, it also actively searches for cryptocurrency wallets, indicating a potential financial motive. The spyware’s ability to extract credentials from devices further amplifies this risk.
Future Trends in Mobile Exploitation
The emergence of DarkSword and Coruna signals several concerning trends in mobile security:
Increased Sophistication of Exploits
Exploit kits like DarkSword are becoming increasingly complex and expensive to develop, suggesting they are primarily accessible to well-resourced actors, including nation-states.
Expansion of the Mobile Attack Surface
Mobile devices are now central to both personal and professional life, making them prime targets for attackers. The attack surface is expanding beyond traditional app-based malware to include sophisticated exploits targeting the operating system itself.
Rise of Watering Hole Attacks
Compromising legitimate websites to deliver malware is a highly effective tactic, particularly for targeting specific groups or regions. This trend is likely to continue as attackers seek to bypass traditional security measures.
Focus on Surveillance and Data Exfiltration
The emphasis on surveillance and data exfiltration, as seen with DarkSword, suggests a growing demand for intelligence gathering capabilities. This could have significant implications for privacy and national security.
FAQ
Q: What iOS versions are affected by DarkSword?
A: iOS versions 18.4 to 18.6.2 are known to be vulnerable.
Q: How can I protect myself from DarkSword?
A: Update your iPhone to the latest iOS version (26.3 or later). Be cautious about visiting unfamiliar websites, especially in regions known to be targeted by cyberattacks.
Q: Is my data safe if I update my iPhone?
A: Updating to a patched version of iOS will mitigate the vulnerability. However, if your device was previously compromised, it’s possible your data may have already been accessed.
Q: What is a “watering hole” attack?
A: A watering hole attack involves compromising a website frequently visited by a specific group of people, then infecting visitors with malware.
Did you realize? The DarkSword exploit kit is completely written in JavaScript, making it particularly difficult to detect.
Pro Tip: Enable two-factor authentication on all your important accounts to add an extra layer of security.
Stay informed about the latest mobile security threats and best practices. Explore our other articles on cybersecurity and data privacy to learn more about protecting your digital life.
