The data-stealing iPhone exploits detailed by Google last week may been used for state-sponsored campaigns targeting the Uyghur Muslim minority in China‘s autonomous region of Xinjiang.
“The websites were part of a campaign to target the religious group by infecting an iPhone with malicious code simply by visiting a booby-trapped web page,” TechCrunch revealed, citing sources familiar with the matter.
“In gaining unfettered access to the iPhone’s software, an attacker could read a victim’s messages, passwords, and track their location in near-real time,” the report said.
What’s more, it appears the same websites also targeted Android and Microsoft Windows PCs in a similar campaign, according to Forbes. “The attacks were updated over time for different operating systems as the tech usage of the Uyghur community changed,” the source told Forbes.
TechCrunch added that the websites also infected non-Uygurs who mistakenly accessed these websites because they showed up in Google search results. This apparently led the US Federal Bureau of Investigation (FBI) to ask the company to de-index the sites and reduce the number of infections.
Last week, the search giant’s Project Zero security team disclosed a hacking campaign that had exploited five distinct iOS exploit chains by embedding those attacks in websites that were used as a watering hole to infect the phones of thousands of victims.
The unpatched zero-days were exploited by hackers to install spyware that stole photos, chat messages, emails, and login credentials from iPhones and iPads. The websites had “thousands of visitors” per week in what Google called a “sustained effort to hack the users of iPhones in certain communities over a period of at least two years.”
The exploit chains affected iOS versions spanning from iOS 10.0.1 released in September 2016 to 12.1.2 issued last December. Apple fixed the vulnerabilities in iOS 12.1.4 in February, within a week after Google privately notified the iPhone maker of the flaws.
But the deep-dive analysis by Project Zero researcher Ian Beer stopped short of revealing the names of the websites and the threat actors behind the attacks.
The move, if true, marks the Chinese government’s continued efforts to repress all forms of political or religious dissent in Xinjiang, effectively turning it into a prison.
China has long considered the province a breeding ground for “separatists, terrorists and religious extremists,” with the residents of the region — ethnically Turkic Muslims — the subject of persecution and heightened surveillance.
Aside from deploying flocks of robotic “Dove” drones to snoop on the Uyghur community, their WeChat conversations have been monitored for suspicious activity, and they have had their DNA samples, fingerprints, iris scans, voice samples, and blood types collected.
As of last year, more than two million Uyghurs and Muslim minorities have been thrown into concentration camps, made to memorize Communist Party propaganda, and renounce Islam, prompting over 20 countries to call on China to halt its mass detention efforts.
The fact that the attackers could bypass iOS security mechanisms and continuously exploit the vulnerabilities for over two years colors the reputation of iOS as the most hardened mainstream operating system.
If anything, the stumbles indicate that Cupertino still has work to do in safeguarding its devices and services, and it’s time for the company to deeply examine its own software for issues that resulted in the flaws that’ve made those iPhone attacks possible.