Researchers discover iPhone spyware that can infiltrate millions of devices

article

A number of prospective buyers view the iPhone 17 Series firsthand at Grand Indonesia Mall in Jakarta, Indonesia, on October 17, 2025. (Photo by Faisal Ramadhan/NurPhoto via Getty Images)

A sophisticated software exploit capable of breaching and extracting data from potentially hundreds of millions of Apple iPhones was recently embedded across dozens of websites in Ukraine, researchers said on Wednesday, according to Reuters.

The finding marks the second instance this month of researchers uncovering spyware aimed at iPhones and other Apple devices.

Dig deeper:

Researchers from cybersecurity firm Lookout, mobile security company iVerify, and Alphabet’s Google published coordinated analyses of the malware, which they have dubbed "Darksword." 

On March 3, Google and iVerify disclosed a separate, powerful iPhone spyware strain called "Coruna," and researchers said Darksword was hosted on the same servers.

RELATED: More tech layoffs: Dell cuts 10% of workforce in past fiscal year

What they're saying:

"There’s now a verified pipeline of recent exploits ... that have ended up in the hands of potentially criminal entities with ​a financial focus," Justin Albrecht, principal researcher with Lookout, told Reuters. 

Apple takes down ICE tracking apps after DOJ pressure

Apple has now dropped an ICE tracking app from its App Store Thursday after the Department of Justice and Attorney General Pam Bondi raised concerns with the tech giant over the app putting law enforcement officers at risk. LiveNOW?s Austin Westfall is getting the latest report from Fox Business.

Why you should care:

Google said its researchers observed multiple commercial vendors and suspected state-linked hackers deploying Darksword in separate campaigns targeting users in Saudi Arabia, Turkey, Malaysia and Ukraine.

The operations in Malaysia and Turkey were linked to Turkish commercial surveillance firm PARS Defense, Google said. PARS Defense did not respond to a request for comment.

RELATED: Apple launches new tool to make sure users on some apps are at least 18 years old

Researchers at iVerify and Lookout said the malware was delivered to iPhone users running iOS versions 18.4 through 18.6.2 who visited dozens of compromised Ukrainian websites. Apple released those versions between March and August 2025.

Researchers said it remains unclear how many iPhones are vulnerable to Darksword. 

Apple has issued multiple patches for the underlying flaws exploited by the spyware, but many users have yet to update their devices. Based on public estimates, iVerify and Lookout said roughly 220 million to 270 million iPhones may still be running affected iOS versions. Google did not share its findings prior to Wednesday’s report.

What they're saying:

An Apple spokesperson said the exploits affected "out-of-date software," adding that the underlying vulnerabilities have been fixed through multiple updates over recent years for users running the latest versions of their devices’ operating systems.

"Keeping software up to date ⁠remains the single most important thing users can do to maintain the high security of their Apple devices," the spokesperson said.

The spokesperson added that all malicious domains identified by Google have been blocked by Apple Safe Browsing in the Safari web browser to help prevent further exploitation.

The emergence of two separate, powerful iOS exploits this month points to a growing ecosystem of tools once largely confined to state-level intelligence operations, said Rocky Cole, co-founder and COO of iVerify.