Security researchers detected critical flaws in pre-installed Apple E-mail applications on iPhone and iPad that are being exploited to spy on high profile victims. Cybercriminals have been utilizing the weaknesses for at least two years.
Million iOS users are vulnerable in complete control of remote hackers on the device once their account is logged in on the vulnerable application. It was reported by the Researchers to Apple about two months ago.
Cybercriminals use these exploits to leak, modify, and delete emails. It was reported that the attacks have only been against the following targets:
- Individuals from a Fortune 500 Organization in North America
- Executive from Japan
- Journalist in Europe
- VIP from Germany
- Manage Security Providers in Israel and Saudi Arabia
As per the research firm, the attack consists of sending an exclusive well-crafted email to a victim’s Mailbox, enabling it to trigger the Operating System’s vulnerability through the iOS Mobile mail application on iOS12 or iOS13. The email will crash the application forcing the victim to boot the device during the reboot hackers will then start access confidential information on the device. The more daunting on these exploits is that the email that triggered the hack is nowhere to be found.
Aside from the temporary slowdown of the Mobile app, users will not be able to observe peculiar behavior on their device. Exploit attempt for both successful and unsuccessful on iOS12 may find a sudden crash on the Mail application.
Based on the IOS13 noticeable performance, besides from slowdown, nothing more noticeable is in place. Failed attacks will not be prominent if another attack is carried afterward and deletes the email.
When an attempted attack fails, the malicious email will show the message: “This message has no content.”
As Apple had not previously disclosed the flaw, this conspires as a Zero-day vulnerability. Exploits that are considered Zero-day are bugs in software-hardware that are unknown from the manufacturers.
It reported that the Zero-day exploit has existed since at least iOS6, which was released back in 2012. The reported vulnerability has already been patched in the latest Beta release of iOS. As for the non-Beta versions, fixes will be available in the upcoming release of iOS 13.4.5
Fortunately, the said attack does not work on Third-party email applications such as Gmail or Outlook.
To steer clear on the issue, using the latest Beta version of the app on iPhone is recommended or best to disable the pre-installed app and use Outlook or Gmail app instead.