Google's security research team recently released a report revealing a vulnerability exploitation chain named 'DarkSword' that successfully deploys the Ghostblade malware, posing a threat to Apple devices running iOS versions 18.4 to 18.7. Researchers noted that attackers exploited six previously unknown vulnerabilities to achieve jailbreak-like access to iPhones. Once users visit a malicious or tampered website, Ghostblade is quietly implanted.
Ghostblade is a JavaScript-based data-stealing program that focuses on quickly collecting sensitive user information before self-destructing. According to Google's report, this malware can deeply access and extract various data from infected devices, including but not limited to SMS and iMessage content, call logs, contact information, and stored Wi-Fi passwords. Additionally, it scrapes cookies, browsing history, and saved passwords from the Safari browser.
Even more concerning, Ghostblade can access chat logs from instant messaging applications like Telegram and WhatsApp, as well as users' geolocation data, health information, and photos stored on the device. After completing its data collection tasks, Ghostblade deletes its temporary files and terminates its operation, attempting to erase all traces.
Google observed that the attackers utilizing the 'DarkSword' vulnerability chain are not a single entity, including both commercial spyware vendors and state-backed attack organizations. Related attack activities have been identified in Saudi Arabia and Ukraine.
In the attacks in Ukraine, the attackers used tampered websites as distribution channels, including a government domain. Google confirmed that the exploitation chain is triggered when users browse these infected pages.
This incident is not an isolated case, as the cryptocurrency sector has recently seen a surge in malware incidents. Last year, the Inferno Drainer malware caused approximately $9 million in losses for crypto users within six months. Other attack activities involved the distribution of counterfeit Android phones preloaded with cryptocurrency-stealing malware.
Google strongly recommends that users running the affected iOS versions update their devices to the latest system as soon as possible. Official patches can effectively prevent the exploitation of the 'DarkSword' vulnerability chain. The disclosure of 'DarkSword' and the Ghostblade malware marks the latest confirmation of a new wave of cybersecurity threats targeting Apple devices.