A new iOS exploit was discovered which was used to spy on China’s oppressed Uyghur minority. The exploit was discovered and named as Insomnia by security firm Volexity. It works against iOS versions 12.3, 12.3.1, and 12.3.2
The vulnerability behind this exploit was patched by Apple in July 2019 by releasing the iOS version 12.4. But the security firm states that Insomnia was exploited in the wild between January and March 2020.
The exploit was loaded on the iOS devices of users visiting several Uyghur-themed websites. When a victim visits the site, the Insomnia exploit was loaded on the device, allowing root access to the attacker.
The hackers can then steal plaintext messages from different instant messaging clients, emails, photos, contact lists, and GPS location data.
The exploit was deployed by a threat actor who is tracked by the name of Evil Eye by the company. The Evil Eye group is believed to be a state-sponsored hacking unit operating at Beijing’s order, and spying on China’s Uyghur Muslim minority.
This same group was discovered in August last year by Google and Volexity using 14 iOS exploits to target Uyghurs since at least September 2016. The 14 exploits were also deployed using a similar technique which is using a “watering hole” technique to plant the exploit on a website and wait users to visit it.
Volexity published a report stating that when Google published its report on the 14 iOS exploits, Evil Eye shut down its infrastructure and stopped using the older exploits.
The security firm said that the group became active in January 2020 using the new Insomnia exploit, and continued their work of targeting the Uyghur minority by performing “watering hole” attacks.
The Insomnia exploit has several improvements as compared to the earlier ones which the group used before.
The earlier exploits were able to steal GPS coordinates, photos from the iOS Photos app, the address book of the Contacts app, emails from Gmail, and messages from Whatsapp, Telegram, WeChat, iMessage, and Hangouts. However, the new exploit also targets emails from the ProtonMail app and images transferred via the Signal app.
According to Volexity, any iOS users who visited the Insomnia-infested websites were vulnerable to getting hacked. They confirmed successful exploitation of a phone running 12.3.1 via the Apple Safari, Google Chrome, and Microsoft Edge mobile browsers.
Similar to the earlier exploits, Insomnia doesn’t have a “boot persistence” mechanism and so when a phone is rebooted, the Insomnia malicious code gets removed from the device.
But this does not mean that Evil Eye can’t get boot persistence if they ever wanted. Even though the exploit was deployed across several websites, it was mostly found on the Uyghur Academy website (akademiye[.]org).
So, any user who had visited the Uyghur-themed websites and needs to protect their device can do so by updating devices to the iOS 12.4 release.