Google security crew sheds light on long-running super-stealthy iOS spyware operation

Re: Entire populations: State sponsored?

Even the BBC failed to get a PR comment...guess El Reg asked ha ha.

Re: Entire populations: State sponsored?

There are really only two likely candidates for the "state" here, Israel and China. Each have ethnic groups / regions they're trying to repress, have the organization to develop such complex exploit chains, and most importantly iPhones have a high enough penetration within the country to make it worthwhile (in China the installed base is far more favorable for iPhones than simply looking at the sales of new devices) None of the other states repressing ethic/regional minorities that have the technical capability of doing this like Iran or North Korea would have enough iPhones to make it worth the expense.

It is too bad Google didn't reveal the websites in question, but I guess doing so would have made it obvious not only which state this was but who was being targeted, and they didn't want the potential blowback from calling someone out like that. Since Google has little to lose by calling out China I have to guess this was Israeli developed.

Re: Entire populations: State sponsored?

I'm not that sure. If mafias see a particular ethnic group as more interesting than other's to attack because of cultural habits can use, they will.

Ok, the probability for that to be true is less lower than your hypothesis ^^

Re: Entire populations: State sponsored?

Need it be a nation state, though? I mean, really?

Governments are not the only entities with that kind of money anymore. There are corporations out there with spending powers that would put them safely on the World stage.

Is it really that great a leap to imagine a corporation spotting a strong enough correlation to make it worth targetting an entire ethnic group, if they caught a faint whiff of money in it? If you run the numbers, and discover that a certain group of people have a certain habit in common -- not universally, but sufficiently more so than the general population to be worthwhile -- and there is a way for you to get some of that action, wouldn't you? A corporation would justify it by saying not to do so would be a disservice to their shareholders. (Never mind the disservice they were doing to victims of the very racism being promoted by playing to the stereotype.)

Of course, if that ethnic group happens to be anything besides "European Agnostics", it is going to require extraordinary sensitivity even to report the story without inflaming tensions. The far right will claim that one particular stereotype happening to line up with observed reality in some cases proves them correct, while members of the minority in question will be understandably angry.

Actually, I can see the attraction in believing it to be a nation state responsible for this after all. Much less nasty stuff to think about .....

Re: Email?

Weak passwords are enough the compromise an email. Has nothing to do with a phone!!!

Re: So, can we know...

Website: It is far more effective to hack websites that are poorly administered rather than websites you control to prevent a direct trail to you. Hackers employ indirection to prevent casual administrators from determining who is running the CnC operations. A skilled forensics person will be able to do a better job. But that takes money. Better is to rebuild the website.

Re: So, can we know...

As I said above, since they indicated it was targeted at particular ethnic groups / regions it is almost certain that revealing the websites would make it quite obvious who was being targeted and therefore who was doing the targeting, and Google didn't wish the potential blowback from calling them out. My money is on Israel, because Google would have little to lose by calling out China since they have very little presence there.

OK.. You be sure. If it makes you sleep better.

Re: "We estimate that these sites receive thousands of visitors per week."

Yes, that there was a pretty obvious reason why they didn't want to reveal the websites, because it would have called out the state that sponsored the development of these complex exploit chains.

Re: "We estimate that these sites receive thousands of visitors per week."

Oh. Interesting. Just realized something. Would also wonder what kind of sites those were.

"and on iOS you can only use Safari browser"

I've installed two other browsers on my iPAD, one of which is Firefox.

re: Have Apple hushed this up?

Only if you consider Google putting out a press release an Apple cover up.

This is simple. Apple didn't publicise this because it makes them look bad. Google publicised this because it makes Apple look bad.

Re: iOS Exploit avalanche, full scale overseas attack on iPhone

Of course. And my gran runs a covert operation for Mossad. Out of her corner shop.

Re: When under state surveillance...

LOL I wonder who downvoted even though there's a trollface.