The assumption among iPhone security experts was that finding vulnerabilities in iOS required significant time, resources, and expertise. This made iPhone spyware and zero-day vulnerabilities rare and typically used in targeted attacks, as noted by Apple.
Recently, cybersecurity researchers at Google, iVerify, and Lookout have reported broad hacking campaigns using tools like Coruna and DarkSword, indiscriminately targeting users who haven’t updated to the latest iOS. Hackers, including Russian spies and Chinese cybercriminals, exploit victims through hacked websites, potentially stealing phone data from many users.
Some of these tools have leaked online, making it easy for anyone to attack Apple users with older iOS versions. Apple has developed new security features, such as memory-safe code and Lockdown Mode, to enhance iPhone security.
However, many older iPhones are vulnerable to spyware attacks. There are two security classes of iPhone users: those with the latest iOS 26 on the iPhone 17, which has Memory Integrity Enforcement to protect against memory corruption bugs, and those with older iOS versions prone to these exploits.
The discovery of Coruna and DarkSword suggests memory-based attacks could persist on outdated devices. iVerify and Lookout experts suggest these tools challenge the notion that iPhone hacks are rare.
Matthias Frielingsdorf of iVerify remarks that mobile attacks are widespread, but zero-day attacks against the latest software will remain expensive, limiting their scope.
Apple security expert Patrick Wardle notes that rare documentation of iPhone attacks doesn’t mean they aren’t happening. Advanced technology, like tanks or missiles, reflects a baseline capability accessible to many.
Coruna and DarkSword also highlight a thriving “second-hand” market for exploits, providing financial incentives for multiple sales of the same exploit, says Justin Albrecht of Lookout. Brokers might resell exploits before patches are widely applied, indicating an ongoing trend.