Experts reveal more info on this dangerous hacking tactic targeting your iPhone

Cybersecurity researchers from Kaspersky have revealed more details on TriangleDB, a piece of malware that targeted a zero-day vulnerability recently discovered in the iOS operating system.

In a detailed technical writeup, Kaspersky said the malware contains at least four different modules that allow it to record sounds using the device’s integrated microphone, extract iCloud keychain, steal data from SQLite databases, and even triangulate the device’s location by means of GSM (not GPS).

When GPS data is not available, the module in charge of tracking the victim’s location will use mobile country code (MCC), mobile network code (MNC), and location area code (LAC) to determine the exact location of the device. Whoever built the malware has also gone to great lengths to make sure they’re not spotted. The microphone module, for example, stops working when the victim turns the screen on, or when the battery drops below 10%. The malware also runs a few checks before running, to make sure it’s not installed in a research environment.

Advanced persistent threats

When it comes to the identity of the attackers, so far it’s still a mystery. The campaign is dubbed Operation Triangulation, and while the identity is unknown, Kaspersky described the operators as a “fully-featured advanced persistent threat (APT)”. 

APTs are often associated with state, or state-sponsored, threat actors tasked with government or corporate espionage and data theft.

To deploy the malware, the hackers leveraged zero-day vulnerabilities on iOS, tracked as CVE-2023-32434 and CVE-2023-32435. By sending a specially crafted message through the iMessage platform, the attackers could gain full control over both the endpoint and user data, without needing any interaction from the victim. 

“The adversary behind Triangulation took great care to avoid detection,” the researchers said. “The attackers also showed a great understanding of iOS internals, as they used private undocumented APIs in the course of the attack.”

Via TheHackerNews

More from TechRadar Pro

• Online scammers target desperate loan seekers using online fraud
• Here’s a list of the best firewalls today
• These are the best ID theft protection tools right now