Google's Threat Intelligence Group Exposes Sophisticated iPhone Spyware
Cybersecurity experts have revealed a potent new hacking tool capable of covertly seizing control of Apple iPhones. The spyware, named 'Coruna,' was initially detected by researchers at Google's Threat Intelligence Group (GTIG), who published their alarming findings this Tuesday. According to the report, this malicious software can target devices running iOS versions launched from 2019 through late 2023, prompting urgent calls for affected users to update their phones immediately to mitigate risks.
Origins and Evolution of the Coruna Exploit Kit
GTIG has been monitoring the Coruna tool since 2025, with cybersecurity firm iVerify suggesting it may have originated as a surveillance instrument developed for the US government before leaking into wider circulation. The toolkit incorporates more than twenty distinct vulnerabilities that enable attackers to breach Apple devices, effectively bypassing the built-in security protections that users rely on. This sophisticated attack was partly engineered to exploit weaknesses in Apple's Safari browser, and it can be activated through multiple vectors, including when an unsuspecting user clicks on a malicious link.
Once triggered, the spyware system can pilfer text fragments and potentially access highly sensitive information stored on the device, such as personal photos, notes, and critical financial data. In a concerning development from July 2025, a Russian espionage group utilized Coruna to hijack Ukrainian websites, while Chinese hackers allegedly deployed it via counterfeit cryptocurrency platforms aimed at duping unwary individuals, as reported by PCMag. iVerify elaborated in a blog post, stating, 'Coruna is one of the most significant examples we've observed of sophisticated spyware-grade capabilities proliferating from commercial surveillance vendors into the hands of nation-state actors and ultimately mass-scale criminal operations.'
Technical Mechanisms and Widespread Impact
According to GTIG, the vulnerabilities allow attackers to circumvent built-in protections and gain deep, undetected access to iPhones. Researchers at iVerify conducted an independent investigation that corroborates Google's findings, noting the technology's unusually advanced nature, which mirrors tools typically reserved for high-level surveillance operations. However, in this instance, these techniques have disseminated beyond their original intent, ending up in the possession of multiple hacking collectives.
The team highlighted that such proliferation is becoming increasingly commonplace. Surveillance software crafted for intelligence missions can occasionally leak or be traded on underground markets, enabling cybercriminals to rapidly repurpose these powerful tools against everyday users. The Coruna spyware has been employed in diverse manners: initially associated with highly targeted attacks believed to involve foreign intelligence groups, it later surfaced on fraudulent websites engineered to entice visitors into opening them on iPhones. Any user with a vulnerable device visiting these sites risked having their phone compromised.
User Vulnerability and Protective Measures
From the user's perspective, the attack is deceptively straightforward. Victims merely need to open a malicious website on their iPhone for the assault to commence. The page covertly checks device specifics, such as the model and iOS version, and if the phone is susceptible, hidden code automatically launches to initiate control. Upon infiltration, the spyware installs additional software that permits hackers to harvest sensitive data, scanning photos, notes, and searching for financial particulars like bank account references or cryptocurrency wallet recovery phrases.
The malware can also download extra tools from remote servers, expanding attacker access post-infection. Investigators have discovered modules specifically tailored to target popular digital wallet applications and financial platforms, underscoring the grave threat to personal security. Security experts warn that this discovery illustrates the rapid evolution of mobile threats. While iPhones were long regarded as relatively secure against large-scale hacking campaigns, the dissemination of advanced exploit kits like Coruna indicates that potent hacking capabilities are becoming more accessible.
Expert Recommendations for iPhone Security
Despite these alarming revelations, experts affirm that most users can safeguard themselves by maintaining updated devices. Google confirmed that the exploit kit is ineffective on the latest iOS versions, which incorporate patches for the vulnerabilities exploited in the attack. Researchers strongly advise iPhone users to install the most recent updates promptly upon release. For those unable to update immediately, enabling Apple's Lockdown Mode—a security feature designed to thwart sophisticated hacking attempts—is recommended as a protective measure. Daily Mail has reached out to Apple for comment on this developing cybersecurity issue.
