alt.hn

3/18/2026 at 2:28:40 PM

Hundreds of Millions of iPhones Can Be Hacked With a New Tool Found in the Wild

 https://www.wired.com/story/hundreds-of-millions-of-iphones-can-be-hacked-with-a-new-tool-found-in-the-wild/

by WalterSobchak

3/18/2026 at 2:51:16 PM

Here is the Google Research group's writeup

https://cloud.google.com/blog/topics/threat-intelligence/dar...

Relevant forward:

> GTIG has identified several different users of the DarkSword exploit chain dating back to November 2025. In addition to the case studies on DarkSword usage documented in this blog post, we assess it is likely that other commercial surveillance vendors or threat actors may also be using DarkSword.

> Google Threat Intelligence Group (GTIG) has identified a new iOS full-chain exploit that leveraged multiple zero-day vulnerabilities to fully compromise devices. Based on toolmarks in recovered payloads, we believe the exploit chain to be called DarkSword. Since at least November 2025, GTIG has observed multiple commercial surveillance vendors and suspected state-sponsored actors utilizing DarkSword in distinct campaigns. These threat actors have deployed the exploit chain against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine.

> DarkSword supports iOS versions 18.4 through 18.7 and utilizes six different vulnerabilities to deploy final-stage payloads. GTIG has identified three distinct malware families deployed following a successful DarkSword compromise: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. The proliferation of this single exploit chain across disparate threat actors mirrors the previously discovered Coruna iOS exploit kit. Notably, UNC6353, a suspected Russian espionage group previously observed using Coruna, has recently incorporated DarkSword into their watering hole campaigns.

by jryio

3/18/2026 at 3:00:26 PM

This should be the post, not Wired's blogspam.

by alecco

3/18/2026 at 4:08:55 PM

I wonder if that means 18.7.4 is vulnerable for all the Liquid Glass haters?

by echelon_musk

3/18/2026 at 4:52:09 PM

It's vulnerable, but iOS 18 since iOS 18.7.3 is only available for the 2018 iPhone XS and XR.

by lynndotpy

3/19/2026 at 2:37:33 AM

Also of note, the exploit relied on:

    - CVE-2025-31277 or CVE-2025-43529
    - CVE-2026-20700
    - CVE-2025-14714
    - CVE-2025-43510
    - CVE-2025-43520
Any single of these patched and the exploit was not functional anymore. After a collaboration between the Google Threat Intelligence Group and Apple all of these have been patched.

by TacticalCoder

3/18/2026 at 3:38:28 PM

I know everyone hates liquid glass but isn’t that better security wise than being on an iOS that’s 8 versions behind?

by bix6

3/18/2026 at 3:40:05 PM

There are not 8 major versions between iOS 18 and iOS 26. Apple skipped the monotonously increasing version numbering system since iOS 1 during WDDC 2025 to adopt a year suffix based versioning system.

iOS 17, then iOS 18, then iOS 26, then iOS 27.

You're not the only party confused.

by jryio

3/18/2026 at 3:53:43 PM

Haha thanks! Good to know they are on years now. Back to random version numbers in 5 year? :p

by bix6

3/18/2026 at 6:33:51 PM

How is increasing by 1 every year random? :P

by sunnybeetroot

3/19/2026 at 6:02:50 AM

At some point they will decide to release two versions in a single year and have figure out how to distinguish them.

It's inevitable because they decided on year, and Murphy's law dictates that'll they will encounter this problem.

by happymellon

3/18/2026 at 3:56:49 PM

Semver has always been king

by reactordev

3/18/2026 at 6:11:20 PM

Edit: Oop, I misread! Right, yes, the change up was arguably not entirely boring. Some people were excited at least.

Originally: To be the annoying pedant, version numbers did still monotonically increase, even with the gap, because each version is >= to the last. The mono means a single direction, not a step size of one.

by skygazer

3/18/2026 at 6:19:33 PM

to be an even more annoying pedant. they technically said "monotonously" not monotonically, though skipping to 26 still seems pretty monotonous.

by ticulatedspline

3/18/2026 at 3:11:57 PM

I'm really hoping Apple backtracks on its refusal to update the 18.x line for phones that are compatible with 26. At least provide a security update.

by k2enemy

3/18/2026 at 3:31:31 PM

Apple used to have a really good security record, it's mind boggling they blew it all up just to force Liquid Glass on users.

For those not in the loop, Apple used to provide security patches for supported older iOS versions. They changed a lot of behavior around the release of Liquid Glass (iOS 26, MacOS Tahoe). Starting with iOS 18.7.3, they only release patch versions for the iPhone XS and XR. They've repeated this, through to 18.7.6 now.

So much goodwill and trust, obliterated.

by lynndotpy

3/18/2026 at 4:06:20 PM

Those trillions of dollars aren't going to find their way into the pockets of the shareholders if they have to pay some rubes to maintain old stuff!

by titzer

3/18/2026 at 4:23:59 PM

I'm always surprised what isn't a national security issue.

by 6510

3/18/2026 at 5:31:42 PM

> to pay some rubes to maintain old stuff

Can LLMs backport fixes to stable branches?

by walterbell

3/18/2026 at 9:24:48 PM

Well, Apple already fixed the code, Apple is just choosing not to release it for most iPhones.

by lynndotpy

3/18/2026 at 4:03:44 PM

It's especially glaring since Apple just released a fix for a Coruna exploit that patched iOS 15.

by yborg

3/18/2026 at 4:14:03 PM

That's interesting, as they released security patches for iOS 15 devices like iPhone 6 as recent as a week ago.

by floralhangnail

3/18/2026 at 5:20:18 PM

Apple was always defeated in every pwn2own competition. I'm not sure if their security is any better or worse than anyone else.

by fortran77

3/18/2026 at 3:57:17 PM

> Starting with iOS 18.7.3, they only release patch versions for the iPhone XS and XR. They've repeated this, through to 18.7.6 now.

  iPhone XS/XR: the only Usable + Secure iPhone in 2026

by walterbell

3/18/2026 at 3:32:44 PM

Not going to happen (despite my still being on 18.x) because they want to force you to upgrade to 26 for publicity. As simple as that.

The new "security upgrade available" will (I bet) be "to 26".

by pfortuny

3/18/2026 at 5:15:31 PM

> for publicity

Or don’t want to maintain two different security architectures.

by JumpCrisscross

3/18/2026 at 7:16:44 PM

They security-updated iOS 15 a couple of months ago, so that does not seem likely.

by pfortuny

3/18/2026 at 5:16:06 PM

> for publicity

Or don’t want to maintain two different security architectures. Apple has always been visually opinionated.

by JumpCrisscross

3/18/2026 at 7:16:25 PM

They security-updated iOS 15 a couple of months ago, so that does not seem likely.

by pfortuny

3/18/2026 at 3:26:34 PM

Their design disaster must be hidden in metrics, damn be security.

by kace91

3/18/2026 at 4:08:47 PM

Apple should stop doing security by obscurity in the first place. People have no way finding out whether their phones have been compromised. Lockdown mode is just a cope mechanism for phones likely already compromised and there is no guarantee lockdown mode cannot be bypassed.

Apple hardware is inherently insecure and it is bizarre that Apple keeps burying their head in the sand.

by varispeed

3/18/2026 at 4:24:22 PM

Aren’t their devices the most secure on the mass market?

More than non-obscure phones, laptops, desktops… washing machines, robot vacuums, doorbells, you name it

by unsupp0rted

3/18/2026 at 5:06:40 PM

Yes, but you can use anti-virus software on other platforms which can detect many threats.

Also just because others are not great, doesn't excuse Apple from being very much negligent.

I know many people who bought Apple products specifically because of the myth that they are secure. They were in fact mis sold. There is common thinking that no anti virus software = no viruses = secure among non technical crowd.

by varispeed

3/18/2026 at 5:32:54 PM

> the most secure

Except for withholding iOS 18 security fixes when public exploits are fixed in iOS 26.

by walterbell

3/18/2026 at 6:08:03 PM

Even then. I'll take a leaky iOS 18 over pretty much any leaky Android or internet-connected TV or whatever.

iPhones are still the least bad option, for regular people who aren't planning to solder anything, select their boot loader on launch, or recompile a kernel.

by unsupp0rted

3/18/2026 at 7:04:23 PM

My Pixel 8 Pro is more secure than your iOS 18 handset Apple don't care about.

by buggeryorkshire

3/19/2026 at 8:59:46 PM

You are claiming that based on information you don't have (the future). At least you could call it a prediction rather than state it as an obvious disfact.

by robocat

3/18/2026 at 3:32:19 PM

I wish I had a better sense of how these zero-click vulnerabilities work so I could get a sense of how to protect myself from them (you know, without giving in to Liquid Glass). Can they be blocked by an ad blocker? Are they blocked by any extant ad blockers? What about “Lockdown Mode”?

by MrDOS

3/18/2026 at 3:52:00 PM

Note that this is 1-click.

0-click example: receive an MMS with a malformed image that exploits a bug in decoding

by fn-mote

3/18/2026 at 6:30:53 PM

"0-click example: receive an MMS with a malformed image that exploits a bug in decoding ..."

Consider a SMS firewall that:

- flattens text to ascii-256

- recompresses, noises and slightly resizes images and video

... and only then passes the message onto your real (SIM card) phone number.

This, of course, requires that you host your phone number somewhere like Twilio which has other added benefits like additional protection from SIM-jacking and being invulnerable to theft or loss of your handset, etc.

Recommended.

by rsync

3/19/2026 at 5:39:59 AM

If this firewall is available as a commercial product, eventually it be infected, so there won't be any need to hack any client devices. Since this is clearly a niche product, the device manufacturer won't be able to identify and fix bugs as effectively as companies like Apple do. This follows ROSKOMNADZOR recommendations: to install a middleware device that decrypts, stores, modifies, blocks and redirects all traffic depending on rules submitted from external party.

by Lockal

3/19/2026 at 4:56:45 PM

This isn’t a product.

This is a solution you build and run for yourself.

by rsync

3/20/2026 at 4:08:56 AM

This is a great flex, and appreciated.

by DANmode

3/18/2026 at 4:03:02 PM

It's a watering hole attack. At any point your iphone sends an http request to a compromised site, by add, link, embedded, etc. your device will be exploited. there really isn't a way to permanently defeat this. We are about to see an explosion of novel attack types utilizing this exploit as their basis, you realistically cannot defend yourself against these without either updating or no longer using an iphone.

by SimianSci

3/18/2026 at 5:36:42 PM

> At any point your iphone sends an http request to a compromised site, by add, link, embedded, etc. your device will be exploited.

Would it help to disable Javascript on untrusted sites via Brave?

by walterbell

3/18/2026 at 4:20:03 PM

What are you talking about?

Why are we about to see an explosion?

by MrDOS

3/18/2026 at 3:45:45 PM

My understand is ad blockers only stop one class. Lockdown Mode is supposedly a major upgrade given all the underlying processes it blocks / slows.

by bix6

3/18/2026 at 3:31:00 PM

>We also identified additional code added when the actor attempts to infect a user using Chrome, where the x-safari-https protocol handler is used to open the page in Safari (Figure 4). This suggests that UNC6748 didn't have an exploit chain for Chrome at the time of this activity.

Thanks Apple for allowing the overriding of the user's default browser.

by hnburnsy

3/18/2026 at 6:31:26 PM

https://support.apple.com/en-us/126604

iOS 26.3.1 (a), iPadOS 26.3.1 (a), macOS 26.3.1 (a), macOS 26.3.2 (a)

Released March 17, 2026

WebKit

Available for: iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, macOS 26.3.2

Impact: Processing maliciously crafted web content may bypass Same Origin Policy

Description: A cross-origin issue in the Navigation API was addressed with improved input validation.

WebKit Bugzilla: 306050

CVE-2026-20643: Thomas Espach

by DavideNL

3/18/2026 at 3:03:14 PM

Welp, I've been holding on out that liquid glass crap as long possible. Guess my phone is just going to suck now.

by ramesh31

3/18/2026 at 3:28:38 PM

I thought the same thing but updated couple weeks back and actually really really enjoy the liquid glass. I don't recall what it was about the release that made me think I'd hate it, but I've half fallen in love with it, I was just thinking yesterday I wonder what all the fuss was about.

by neom

3/18/2026 at 3:53:13 PM

I believe it's changed a lot since it was initially debut'd via the betas. And there was that Supabase post mocking it, where they made the whole UI glass, and that biased me a bit ha

by thejazzman

3/18/2026 at 3:38:23 PM

I don’t like it on the iPhone, but it’s more a “sigh, I’ll live with it” downgrade than a catastrophic one (at least once you go into the Safari settings and turn off the huge useless address bar by putting it in compact mode). It’s on the Mac where it’s truly a shitshow.

by Analemma_

3/18/2026 at 3:12:05 PM

Apple is probably going to issue an update for 18. Heck they released a security update for coruna on 15.x last week. Same thing maybe?

by msk-lywenn

3/18/2026 at 4:37:01 PM

No, they are not. Apple is choosing to only release the iOS 18 security patches for the XS and XR.

by lynndotpy

3/18/2026 at 3:09:14 PM

If it's really as bad as all that, they'll patch existing older releases.

by bombcar

3/18/2026 at 3:46:27 PM

>If it's really as bad as all that, they'll patch existing older releases.

They have patched existing releases of iOS 18... but then they artificially restricted those patches only to a couple of phone models that don't support iOS 26. So if you're on a vaguely modern iDevice and are still on 18 because you don't want the new UI and other fuckups you are not allowed to install the patched 18. It'd be one thing if you had a phone that simply never supported iOS 18 at all, or if Apple wasn't patching iOS 18 at all for anyone, but that they've gone to the effort to fix it but then also used it as another lever for force upgrades is really sucky.

by xoa

3/18/2026 at 7:33:46 PM

To be fair, it would cost them more to fully test the iOS 18 patches on all devices, than what it cost them to test a few devices. So I wouldn't quite call it artificially holding the patches back. But yeah, it is probably mostly motivated by avoiding bad PR of letting slightly-older devices get hacked, and then forcing everyone else to be on the new release. (FWIW I'm running iOS 18 on an iPhone SE 2020, so probably going to have to embrace all the change and bugs in iOS 26.)

by zzrrt

3/18/2026 at 5:17:56 PM

> you are not allowed to install the patched 18

Is it “you are not allowed,” or Cupertino isn’t going to bother developing and testing?

by JumpCrisscross

3/18/2026 at 6:10:29 PM

>Is it “you are not allowed,” or Cupertino isn’t going to bother developing and testing?

It is very firmly "you are not allowed". In fact you're not even allowed to switch back to iOS 18 at all. Only actively signed iOS IPSWs can be installed (barring historical cases where someone had saved signing tickets). You can see the current status at sites like https://ipsw.me and if you're on any iOS 26 supported iDevice currently only 26.3.1 is signed. The last iOS 18 version was 18.6.2 from August of last year. If you go back to the iPhone XS/XR, you'll see they're still updating iOS 18, with 18.7.6 released two weeks ago (March 4), but they've chosen to force anyone who wants security updates to move to iOS 26 instead.

by xoa

3/18/2026 at 7:21:26 PM

The rollback provisions, granted. But I’m arguing the other stuff requires QC attention Apple may not want to provide to a legacy line. That isn’t not allowing something that can be done. It’s not building something they don’t want to.

by JumpCrisscross

3/18/2026 at 11:16:38 PM

>But I’m arguing the other stuff requires QC attention Apple may not want to provide to a legacy line.

Oh come on. This is HN, we know how development works, how modular an OS, how the patch process works and what that entails for testing in an incredibly restricted and limited hardware base. We know they have no issue doing retroactive updates for quite awhile on the same code base for Macs, which have enormously more hardware variance then iDevices. These are extremely high profit margin premium products. You really don't need to carry water for the multi-trillion dollar megacorp with absolute wide eyed credulity.

And on other systems, even if it wasn't supported, it'd be perfectly possible for hardware owners to patch various components or implement workarounds. It's only on iOS that Apple is utilizing technical controls to stop that dead.

>That isn’t not allowing something that can be done.

Yes, it is. They are 100% using their technical controls built into the underlying hardware and then on up for not allow something that can be done. They could trivially allow hardware owners, even if only as a buy-time option, to have the ability to add their own certificates to the iOS root of trust, and in turn install and modify any software they wished on their own to the extent of their abilities. Apple wouldn't have to do anything except not exert maximal artificial control.

They don't do that. They have the power. It's their responsibility in turn. It's pretty irritating anyone who has been around the block as much as you have would try to white wash that. FFS.

by xoa

3/18/2026 at 4:25:44 PM

No. Apple already released the patch in February, and Apple chose not not patch older releases.

Apple of 2026 is not the same Apple of 2025. The people at Apple have held back iOS 18.7.3, iOS 18.7.4, iOS 18.7.5, or iOS 18.7.6 for most iPhones that support iOS 18.

These are dozens of CVEs patched in these updates, including numerous exploits as bad or worse than the one described in this one. (Article is paywalled so I couldn't read it, so I am getting the details from Google's post https://cloud.google.com/blog/topics/threat-intelligence/dar...

- CVE-2025-43541, CVE-2025-43501 WebKit zero day https://www.theregister.com/2025/12/15/apple_follows_google_... (iOS 18.7.3)

- CVE-2025-43529 and CVE-2025-14174, mentioned in the article (iOS 18.7.3)

- The dyld exploit fixed in iOS 18.7.5, and the exploit in this article https://www.theregister.com/2026/02/12/apple_ios_263/ (iOS 18.7.5)

Unfortunately, in iOS 26, there is a new bug where Lockdown Mode breaks call recording, which is something I rely on. Something to weigh for anyone on iOS 18 who is considering installing iOS 26.

by lynndotpy

3/18/2026 at 5:38:57 PM

> Lockdown Mode breaks call recording

Do you mean screen recording? What are the symptoms of the bug?

by walterbell

3/18/2026 at 5:56:54 PM

Nope, call recording. Not sure how universal this is, but phone call recording immediately stops with the "This call is no longer being recorded" effect afterwards.

by lynndotpy

3/18/2026 at 3:33:36 PM

One can hope but I do not trust them.

by pfortuny

3/18/2026 at 3:26:24 PM

Liquid glass isn’t too bad on the iPhone or even the iPad. It’s mostly on the Mac that it sucks.

by dhosek

3/18/2026 at 4:35:47 PM

All these exploits and we still can't get proper jailbreaks on new iOS versions :( I moved away from Android years ago in the interest of digital privacy so it's just wonderful to hear security isn't as tight as I'd hoped haha.. Then again I guess those like myself staying on the bleeding edge version-wise aren't affected.

by SayThatSh

3/18/2026 at 4:47:59 PM

I suspect you'll see one with this or Coruna soon enough.

by eugenekolo

3/18/2026 at 2:35:53 PM

I got an alert this morning for an iOS update numbered 26.3.1(a).

(a)? This must be really bad.

by joezydeco

3/18/2026 at 3:10:05 PM

What device? I don't see anything beyond 26.3.1 on my iPhone 15 PromaxXDR™

by bombcar

3/18/2026 at 4:08:32 PM

The update can be found under

Settings > Privacy & Security > Background Security Improvements

by aurea

3/18/2026 at 9:55:12 PM

There it is, and I've never seen that area before.

by bombcar

3/18/2026 at 3:17:34 PM

iPhone 15 (vanilla) running iOS 18.7.2. I now have a permanent notification on my lock screen nagging me to update to iOS 26.

by joezydeco

3/18/2026 at 3:39:10 PM

Enabling beta updates for ios18 should kill the nagging notification.

by qaz_plm

3/18/2026 at 3:54:29 PM

But still only gets you to 18.7.3

by fn-mote

3/18/2026 at 3:52:51 PM

I'm keeping it there to remind me to stay defiant against the shittier UI. I'll wait until they can put it on a user switch or create a more readable option for older users. Which will probably be 'never'.

by joezydeco

3/18/2026 at 4:04:54 PM

I’m on the same boat. I was forced to update to the shitty UI at work, but not on my personal phone.

by a012

3/18/2026 at 4:15:09 PM

Same here. Which helped me confirm how bad it was.

by joezydeco

3/18/2026 at 5:12:05 PM

redmagic 11 is almost 1000 usd cheaper than the s25.

by 6510

3/18/2026 at 2:50:39 PM

> It can take over devices running iOS 18 that simply visit infected websites.

I wonder if this is supposed to be > iOS 18 or really just version 18?

by dewey

3/18/2026 at 2:54:49 PM

It's in the source article (from Google Research group):

> DarkSword supports iOS versions 18.4 through 18.7

https://cloud.google.com/blog/topics/threat-intelligence/dar...

The source exploits continued to be patched with all of them patched in iOS 26.3

by quentindanjou

3/18/2026 at 3:02:38 PM

Oh, I was confused why the article was so short and chalked it up to it being some developing story. Turns out there's a "You’ve read your last free article." heading that hides the rest but it's not very obvious that there's an article hiding.

by dewey

3/18/2026 at 2:44:07 PM

Impact: Processing maliciously crafted web content may bypass Same Origin Policy

Description: A cross-origin issue in the Navigation API was addressed with improved input validation.

WebKit Bugzilla: 306050

CVE-2026-20643: Thomas Espach

by FuriouslyAdrift

3/18/2026 at 4:48:32 PM

Unrelated bug as far as I can tell.

by eugenekolo

3/18/2026 at 3:37:35 PM

I was literally just attending a course on "innovation" and the topic of Apple vs Android was covered. Interestingly enough, a majority of students commenting cited iOS "security" as a core value proposition. As an Android user, however, I know there are a lot of CVEs in volume but in terms of severity, when an iOS issue happens it appears to generally be much more severe.

by throwaway2016a

3/18/2026 at 4:31:41 PM

I'd like a security patch for 18. I have no desire to upgrade to iOS Vista or whatever it is we're calling it

by geuis

3/18/2026 at 3:54:19 PM

Is the full exploit chain functional on iPhone 17 MIE/EMTE silicon with Lockdown Mode enabled?

by walterbell

3/18/2026 at 6:28:33 PM

No, because Lockdown Mode disabled JIT which is a part of this exploit chain.

by eugenekolo

3/18/2026 at 3:56:14 PM

the supply chain for offensive tooling is now indistinguishable from the supply chain for malware. take care of your security team!

by kevincloudsec

3/19/2026 at 9:05:02 PM

[dead]

by Officer_ASH96

3/18/2026 at 4:36:04 PM

[dead]

by seemizou92

3/19/2026 at 1:06:24 AM

[dead]

by TMille76489

3/19/2026 at 12:20:46 AM

[flagged]

by davidliu847386

3/18/2026 at 2:51:42 PM

The interesting angle here is what this means for passes and credentials stored in Apple Wallet. If device compromise is this accessible, the assumption that Wallet passes are isolated from the rest of the device needs more scrutiny. Apple's security model relies heavily on the secure enclave but a tool like this changes the threat surface significantly.

by BTAQA

3/18/2026 at 3:39:02 PM

This is always the threat with walled garden style security. When you couple applications so tightly in an intrinsic trust network, on the basis that no external attacker can gain access, then the internal security is neglected and it only takes the weakest link.

by ozlikethewizard