Endpoint Security

Kaspersky Discloses Apple Zero-Click Malware

Russian Government Claims It Uncovered 'Several Thousand' Infections
Kaspersky Discloses Apple Zero-Click Malware
iPhones for sale in St. Petersburg, Russia, in August 2021 (Image: Shutterstock)

Russian cybersecurity firm Kaspersky said it uncovered zero-click malware infecting staffers' iPhones on the same day the Kremlin claimed it had uncovered a "reconnaissance operation by American intelligence agencies."

See Also: Live Webinar | Is Your Organization Ready for the Next Wave of Endpoint Security Modernization?

Kaspersky, in a Thursday blog post, said the malware has been active at least since 2019 and infects devices with an iMessage attachment that automatically triggers code execution. Kaspersky calls the campaign behind the malware Operation Triangulation.

Russian domestic intelligence agency the Federal Security Service said it had uncovered several thousand iPhones infected with the same malware and accused Apple of collaborating with the U.S. National Security Agency.

The malware exfiltrates data including microphone recordings, photos from instant messaging apps, geolocation and other sensitive data. The Russian National Coordination Center for Computer Incidents issued a bulletin listing the same set of 15 malware command-and-control domains that Kaspersky identified.

Apple, which has a well-documented history of defying U.S. government attempts to weaken its security, issued a terse statement.

"We have never worked with any government to insert a backdoor into any Apple product and never will," an Apple spokesperson said.

The smartphone giant also said that Kaspersky had reported the malware doesn't work past the iOS 15.7 iPhone operating system. Apple introduced iOS 16 to the public last September.

A Kaspersky spokesperson said the company determined one of the vulnerabilities used by the malware was CVE-2022-46690, an out-of-bounds write issue patched in December.

The security firm noticed the attack after employees' devices began to exhibit suspicious behavior including an inability to download iOS updates, which it said is a common indicator of compromise.

"The spyware managed to infect several dozen iPhones of our employees," Eugene Kaspersky, the founder of the security firm, tweeted. The malware appears distinct from known commercial spyware apps such as Pegasus, Predator or Reign, he tweeted.

The CEO also said he's "confident that Kaspersky was not the main target of this cyberattack." The cybersecurity company has long provoked national security concerns in the United States culminating in its March 2022 inclusion in a Federal Communications Commission blacklist preventing recipients of telecom subsidiaries from spending federal dollars on its products. Congress has prohibited federal agencies from contracting with Kaspersky since 2018.

The Kremlin reportedly told officials involved in preparations for Russia's 2024 presidential elections in March to stop using iPhones, citing the potential for Western surveillance.

Kaspersky is currently reviewing the attack tactics and said it will disclose more details on the vulnerability and the malware strain in coming days.

Kaspersky researchers' analysis states that the "single most reliable indicator" of the malware infection is the presence of a process named "BackupAgent."

That binary is deprecated, researchers say. "However, it is important to note that there is also a binary named 'BackupAgent2,' and that is not an indicator of compromise."

With reporting by ISMG's David Perera in Washington, D.C.

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.com, you agree to our use of cookies.