Another spyware was used for targeted attacks on Apple devices. Similar to the “Pegasus” spyware usually used by state actors, the surveillance software called “TriangleDB” comes discreetly via iMessage to an iPhone and only runs there in the main memory: Rebooting the device not only eliminates the spyware, but also all traces, like the security company Kaspersky announced.
Advertisement
Otherwise, to make analysis and detection more difficult, the monitoring software will be automatically deleted after 30 days, but it can also be used for longer. A reinfection then takes place via iMessage.
Kernel vulnerability brings root privileges
According to the analysis, attackers can remotely control the spyware, which gains root rights via a kernel vulnerability and thus practically completely takes over the device, with over 20 commands. This includes the option to go deep into the file system and extract as well as create and edit files. The malware is also able to read the victim’s access data stored in the keychain and track their location, as well as run other modules to monitor changes to files, for example. Location tracking usually only works while the display is off, explains Kaspersky – presumably in order not to make the user suspicious of the small compass arrow displayed by the operating system. The attacker can also use this permanently.
When examining the spyware, they found a specific “macOS only” feature that is not used in the iOS version. The security researchers explain that this indicates that the malware is also intended to be used against Macs. Kaspersky plans to analyze the spyware further and has called on other security companies to share their findings.
Vulnerability in iOS 16 apparently patched
As an antidote, Kaspersky only advises users to keep the operating system and apps up to date. The Russian software company first drew attention to these “Operation Triangulation” spyware attacks in early June – exactly on the same day that the Russian domestic intelligence service accused Apple of helping the US intelligence agency NSA with iOS vulnerabilities in espionage. Apple rejected the unsupported accusation in no uncertain terms.
Advertisement
At the time, it was said that the latest vulnerable iOS version was iOS 15.7, and that Apple had patched the vulnerability in February 2023. At that time, however, the manufacturer only released a patch for iOS 16. Apple now allows iOS and macOS to be better secured with a lockdown mode that is specifically designed to protect against this type of spyware.
(lbe)