Apple is encouraging people to update their iPhones in light of new cybersecurity research that suggests Russian intelligence, Chinese cybercriminals and other hackers are using tools called DarkSword and Coruna to take control of phones with older versions of the iOS operating system.
The tool, called an exploit kit, was detailed this month by Google and cybersecurity companies iVerify and Lookout. Both can give hackers deep remote access to a victim’s phone and allow them to search its contents.
On Wednesday, iVerify wrote in a news release: “DarkSword appears to be a surveillance and intelligence gathering tool, comprehensively capturing data including Wi-Fi passwords, text messages, call history, route location history, browser history, SIM cards, cellular data, health status, notes, and calendar databases.”
Apple spokeswoman Sarah O’Rourke said the two tools only work on devices running older versions of Apple’s operating systems, increasing the need for regular updates.
“Keeping software up to date remains the most important thing users can do to keep their Apple devices highly secure,” she said.
The news has raised concerns among industry experts that while Apple has a reputation for making devices more secure from hackers than other brands, versions running on older software could still be vulnerable to hijacking.
According to research from three companies on the campaign, there are several groups of people targeted by iPhone hacking tools. Ukrainians targeted by Russian intelligence services. Chinese virtual currency users. and the people of Saudi Arabia, Türkiye, and Malaysia.
The tool could also easily be used to hack people with older iOS, although none of the companies have reported evidence that Americans were targeted, said John Scott Railton, a senior researcher at Citizen Lab, a cybersecurity research lab sponsored by the University of Toronto.
“The barrier to entry for widespread and destructive mobile attacks has been significantly lowered,” Scott Railton told NBC News. “It’s clear that this problem is only going to get bigger.”
“The scary thing for regular users is that they won’t be able to detect this attack,” he said.
Apple’s latest operating system, iOS 26, released in September, protects users from both hacking attacks, according to the company. Last week, Apple took the unusual step of releasing a special update for iPhone users with older devices that aren’t compatible with a full iOS 26 upgrade, specifically blocking hackers from using hacking tools.
According to research on these campaigns, both of these campaigns infect mobile phones through so-called watering hole attacks. In this attack, a website is designed or hacked with code that exploits the way mobile phones handle web traffic, potentially automatically infecting vulnerable mobile phones that access it.
iPhone hacking remains a significant technical challenge, and the two campaigns rely on a complex chain of hacks working together to take over the phone.
Coruña has a surprising origin. Peter Williams, a former cyber executive at military defense contractor L3Harris, pleaded guilty last year to selling his company’s hacking tools, including Coruna, to Russian brokers.
According to iVerify, the tool was introduced by hackers linked to Russian intelligence last summer and Google found it was targeting Ukrainians.
Google said it was unclear how but by December, Chinese cybercriminals had obtained the tool and began creating “a very large scale of fake Chinese websites, primarily financial-related,” with the purpose of stealing cryptocurrencies.
Bitcoin and other cryptocurrencies are particularly attractive targets for cybercriminals because they are quickly transferred to the criminal’s possession and victims often have no means of getting them back.
The origin of the second tool, called Dark Sword, is unknown, but Google said it was also used by the same Russian intelligence unit. Its use seems to have spread and multiplied into several related versions affecting people in Ukraine, Malaysia, Saudi Arabia, and Turkey.
Google said its tools are being used by several companies that sell hacking tools to governments. Since November, the company “has observed multiple commercial surveillance vendors and suspected state-sponsored threat actors utilizing DarkSword in different campaigns,” Google said.
Rocky Cole, iVerify’s chief operating officer, said the campaign should break the idea that just owning an iPhone is enough to protect you from hackers.
“There was a perception in the security community that attacks against the iPhone were a mythical beast, a rarity,” he said.
“No, we just don’t really have the tools to check these things. I feel like this is more prevalent than people realize.”
