Google warns government‑grade iPhone exploit kit spreads to hackers, 9to5Mac says

Google’s Threat Intelligence Group (TAG) detailed the inner workings of “Coruna,” an exploit kit that stitches together five full‑chain iOS vulnerabilities and a total of 23 CVE‑listed flaws to compromise devices running iOS 13 through iOS 17.2.1 — according to a post on the Google Cloud Blog cited by Wired. The attack begins with a malicious web page that runs hidden JavaScript to fingerprint the target’s model, iOS version and security settings. If the device is not protected by Apple’s Lockdown Mode or private‑browsing, the kit proceeds through a series of chained exploits that bypass the kernel, sandbox and code‑signing checks, ultimately installing a payload capable of exfiltrating data or loading additional modules. Google emphasizes that the chain is ineffective on the latest iOS releases, underscoring the importance of timely updates.

iVerify, a mobile‑security firm, corroborated Google’s findings in a parallel report, noting that Coruna’s code shares a “foundational” architecture with known U.S. government hacking tools. The firm described the kit as “the first observed mass exploitation of mobile phones, including iOS, by a criminal group using tools likely built by a nation‑state” — a claim echoed by Google’s TAG. iVerify’s reverse‑engineering suggests the kit leaked from its original government‑grade environment and has since been weaponised by Russian intelligence operatives and China‑based cybercriminals. The report links the leak to a broader trend where sophisticated spyware, once confined to targeting journalists and dissidents, has expanded to executives in tech, finance and political campaigns.

Both Google and iVerify say the delivery vector for Coruna is a classic “watering‑hole” attack. Compromised websites, often masquerading as cryptocurrency services, lure victims to malicious pages that host the exploit chain. Once a device is infected, the final payload appears financially motivated: modules are designed to scrape cryptocurrency wallet addresses, private keys and recovery phrases, enabling attackers to siphon digital assets. This aligns with earlier observations that iOS‑targeted spyware has increasingly pursued monetary gain alongside espionage, a shift noted in multiple reports over the past year.

The emergence of a government‑grade iPhone exploit in the hands of criminal actors raises immediate security concerns for Apple’s ecosystem. While Apple has historically patched zero‑day flaws quickly, the sheer number of vulnerabilities bundled in Coruna—spanning five iOS releases—means that devices left on older versions remain exposed for an extended window. Google’s TAG advises users to enable Lockdown Mode, keep iOS updated, and avoid private‑browsing bypasses that the kit checks for. iVerify adds that enterprises should monitor network traffic for the characteristic JavaScript fingerprinting patterns that precede the exploit chain.

Industry analysts are watching the fallout closely. If the leak proves widespread, it could pressure Apple to accelerate its update cadence and broaden its support for older hardware, a move that would echo past emergency patches prompted by high‑profile exploits. Meanwhile, the attribution to U.S. government tooling complicates diplomatic narratives, as the same code now fuels Russian and Chinese cyber‑crime campaigns. As Google and iVerify continue to share indicators of compromise, the broader security community is urged to treat Coruna as a reminder that even the most sophisticated, nation‑state‑grade tools can eventually trickle down to the open market, endangering millions of everyday iPhone users.