iPhone spyware arrives via iMessage and, according to an analysis, can manipulate files and track location. Macs may also be among the targets. Another spyware has been used to target Apple devices. Similar to the spyware “Pegasus”, which is usually used by state actors, the surveillance software called “TriangleDB” arrives discreetly via iMessage on an iPhone and runs there only in the working memory: Restarting the device not only wipes out the spyware, but also all traces, as the security company Kaspersky announced.

To make analysis and detection more difficult, the monitoring software would otherwise delete itself automatically after 30 days, but could also be used for longer. A new infection then occurs again via iMessage.

Kernel vulnerability brings root privileges

Attackers can remotely control the spyware, which gains root privileges via a kernel vulnerability and thus practically takes over the device completely, with over 20 commands, according to the analysis. These include the option to deeply interfere with the file system and extract as well as create and edit files. The malware is also capable of reading the victim’s credentials stored in the keychain and tracking its location, as well as running other modules to monitor changes to files, for example. The location tracking usually only works as long as the display is turned off, Kaspersky explains - presumably to avoid making the user suspicious of the small compass arrow displayed by the operating system. However, the attacker can also use this permanently.

During the investigation of the spyware, a certain “macOS only” function was found, which is not used in the iOS version. The security researchers explain that this indicates that the malware is also intended to be used against Macs. Kaspersky plans to further analyze the spyware and has called on other security companies to share findings about it.

Vulnerability in iOS 16 apparently patched

Kaspersky’s only advice to users is to keep their operating systems and apps up to date. The Russian software company first drew attention to these spyware attacks, dubbed “Operation Triangulation,” at the beginning of June - on the very same day that the Russian domestic intelligence service accused Apple of helping the U.S. intelligence agency NSA to spy with iOS vulnerabilities. Apple rejected the unsubstantiated accusation in no uncertain terms.

At that time, it was said that the latest vulnerable iOS version was iOS 15.7, and Apple had plugged the vulnerability in February 2023. At that time, however, the manufacturer only released a patch for iOS 16. Apple now allows iOS and macOS to be better secured by a lockdown mode, which is supposed to specifically protect against such spyware.


Contact & Information

Do you have suggestions for improvement or would you like to have an article translated / created? Please contact me!