A Google taskforce revealed it found evidence of a sustained effort to hack iPhones over a period of two years, with attackers deploying malicious software on the device through visited websites.

In a series of technical posts, cybersecurity expert Ian Beer shared his findings of the attack. Beer is a member of Google’s Project Zero team, which has the goal of reporting security vulnerabilities, advocating improvements in popular systems and ultimately protecting users.

Beer wrote that Google’s Threat Analysis Group (TAG) discovered a small collection of hacked websites earlier this year, “used to indiscriminate watering hole attacks against their visitors” using iPhones.

Google said it told Apple about the security issues at the beginning of February, and the iPhone maker released an operating system update shortly after to fix the flaw.

Compromised iPhones
TAG found there was no target discrimination, and simply visiting a hacked website was enough for the exploit server to attack the device. If it was successful, it would install malicious software, gathering contacts, images and other data.

Beer wrote “these sites receive thousands of visitors per week”, and the breach covered almost every version from iOS10 to the latest iOS12. In total, Beer found the attack exploited 12 security flaws to compromise iPhones, with most bugs found on Safari, Apple’s default web browser.

Offering more details on the attack, the Google taskforce found that once the software was implanted, it could access huge amounts of data, which would then be relayed to an external server every 60 seconds.

Apps were also not safe, with data accessible from Instagram, WhatsApp and Telegram, among others.