The default email app on iPhones and iPads might be vulnerable to surreptitious malware attacks, at least if you ask a security research firm. ZecOps briefed the Wall Street Journal on a claimed vulnerability in Mail that lets attackers infect your device with malware without input — you wouldn’t have to tap a link or download a file. It’s “virtually undetectable” for users, the security firm said. While researchers didn’t explain exactly how the attack would work, it wold involve sending a specially designed message.
The exploit may have been use for a while. ZecOps said it had evidence attackers had used the flaw for at least two years. There had been at least six targets, including staff at a Japanese telecom, a “large North American firm,” tech companies in Israel and Saudi Arabia, a German individual and a European journalist.
The problem, though, is that evidence is relatively difficult to find. ZecOps found its evidence through hints in iOS, and couldn’t obtain the malware as the messages had already been deleted. Jamf Software security researcher Patrick Wardle also told the WSJ that the evidence of ongoing attacks was “compelling,” but not authoritative.
We’ve asked Apple for comment. The investigators believe Apple has fixed the flaw in an iOS beta (presumably 13.4.5), though, so it may not be an issue for long. If the findings are accurate, though, they suggest that a patch is coming long after hackers dealt their damage — however limited it might have been.