A new cybersecurity report reports that applications for both iOS and macOS have been vulnerable to serious supply-chain cyberattacks. The study found that hackers could manipulate email verification mechanisms for developers, making it easier to plant malware in applications.

The paper claims that approximately 3 million CocoaPods-built iOS and macOS apps have been vulnerable for ten years. For those who don't know, 9to5Mac explains that CocoaPods facilitates the integration of third-party code into programs by providing open-source libraries. When a library is updated, apps that use it automatically receive the most recent updates.

According to EVA Information Security, the exploit might provide hackers with access to private content, credit card numbers, medical records, and other sensitive app data. The information may be exploited for ransomware, fraud, blackmail, corporate espionage, and other nefarious activities.

The weaknesses were associated with an unreliable email verification system that verified the identity of developers for specific pods or libraries. An attacker could, for instance, change the URL of a verification link to direct users to a malicious server. The CocoaPods team has already taken action to guarantee that the vulnerabilities have been patched. 

Apple Warns Users of Possible Hacking

The latest known vulnerability was discovered just a few months after Apple sent out a concerning alert to iPhone customers in 92 countries, alerting them to the possibility of mercenary spyware assaults. At the time, there were worries about targeted surveillance activities when the tech giant sent the alert to people worldwide.

Apple alerted consumers, at the time, to the possibility that they were the subject of a mercenary malware attack that aimed to breach the iPhone linked to their Apple ID remotely.  

The corporation underscored the gravity of the circumstance, pointing out that the assault probably singles out specific people based on their identities or actions.

Apple has previously released similar cautions. Similar alerts have been sent to subscribers in more than 150 countries since 2021, suggesting a continuous and pervasive threat landscape.

Apple on Spyware

Notably, in October of last year, Indian opposition leaders and journalists were among those informed of possible spyware assaults, underscoring the extensive worldwide reach of these monitoring initiatives. The massive Cupertino company hasn't, however, directly linked these notifications to any state-sponsored assailant.

The spyware alarms coincide with rising worries about state-sponsored online activity, especially as many nations prepare for elections. Regarding the alerts' timing, Apple stayed silent.

It is impossible to overstate how sophisticated these attacks are, as, according to Apple, mercenary spyware attacks, which use Pegasus from the NSO Group, are much rarer and more sophisticated than typical cybercrime or consumer malware. 

NSO is an Israeli company specializing in remotely hacking iPhones and is well-known for its Pegasus spyware. In March, a US judge ruled in Meta's favor, directing NSO to give up its Pegasus code.

Pegasus is a spyware virus that may take over a mobile device, read messages from different apps, make calls, and take private information. These attacks, frequently linked to governmental entities or private enterprises, are resource-intensive and customized for particular targets.