Google Flags Apple iOS Crypto Malware Targeting iPhones

TLDR

• Google researchers identified an Apple iOS exploit chain called DarkSword targeting unpatched iPhones.
• The exploit affects devices running iOS versions 18.4 through 18.7.
• Attackers use malicious or compromised websites to deploy the Ghostblade malware.
• Ghostblade targets major crypto exchange and wallet applications on infected devices.
• The malware collects messages, contacts, passwords, and crypto-related data before deleting itself.

Google researchers have identified a new exploit chain targeting Apple iOS devices. The chain deploys malware that focuses on cryptocurrency applications on unpatched iPhones. The researchers said attackers use the exploit in active campaigns across multiple regions.

Apple iOS Exploit Chain Delivers Ghostblade Malware

Google said the exploit chain, called DarkSword, affects devices running iOS 18.4 through 18.7. Researchers stated that the chain uses six vulnerabilities to gain access. They confirmed that attackers deploy the malware through malicious or compromised websites.

According to the report, the infection begins when a user visits a hostile website. The exploit then installs a JavaScript-based data stealer named Ghostblade. Google said, “Ghostblade focuses on rapid data collection before terminating itself.”

The malware searches for major crypto exchange apps on infected devices. It targets Coinbase, Binance, Kraken, Kucoin, OKX, and MEXC. It also scans for wallet apps such as Ledger, Trezor, MetaMask, Exodus, Uniswap, Phantom, and Gnosis Safe.

Ghostblade collects SMS and iMessage data from compromised phones. It also extracts call history, contacts, and saved Wi-Fi passwords. The malware retrieves Safari cookies, browsing history, and stored passwords.

Researchers reported that Ghostblade gathers Telegram and WhatsApp message history. It also captures location records, health data, and stored photos. After collecting data, the malware deletes temporary files and shuts down.

Google said multiple actors use the DarkSword exploit in the wild. These actors include commercial spyware vendors and state-backed groups. The company observed campaigns in Saudi Arabia and Ukraine.

Campaigns Target Crypto Users Across Regions

In Saudi Arabia, attackers distributed a fake Snapchat lookalike application. The application delivered the exploit to vulnerable devices. Google linked this campaign to actors seeking cryptocurrency-related information.

In Ukraine, attackers used compromised websites to spread the malware. One of the affected sites included a government domain. Google confirmed that the exploit activated when users accessed infected pages.

The researchers said Ghostblade focuses on fast data theft rather than surveillance. It collects available information and then removes traces. Google stated that the malware does not maintain persistent access.

The discovery follows recent crypto-focused malware incidents. Inferno Drainer stole about $9 million from crypto users over six months last year. Another campaign involved counterfeit Android smartphones pre-loaded with crypto-stealing malware.

Google urged users to update devices running vulnerable Apple iOS versions. The company said patched devices block the exploit chain. The findings mark the latest confirmed activity involving DarkSword and Ghostblade.

The post Google Flags Apple iOS Crypto Malware Targeting iPhones appeared first on Blockonomi.