Anomalous crashes on iPhones belonging to high-value people within the EU and US can probably be related to refined zero-click assaults focusing on an iMessage vulnerability, cell EDR agency iVerify says.
The suspicious exercise, noticed in late 2024 and early 2025, with the latest incidents dated March 2025, supposedly focused six units belonging to people affiliated with political campaigns, governments, media organizations, and tech firms within the EU and US.
On 4 of the units, the safety agency discovered signatures related to the exploited vulnerability, referred to as Nickname, whereas the opposite two confirmed clear indicators of exploitation. All victims had been beforehand focused by Chinese language state-sponsored hackers.
No less than one of many victims, iVerify says in a technical report (PDF), obtained an Apple Risk Notification roughly one month after the crashes.
The exploited bug resides in ‘imagent’, the method dealing with iMessage visitors, together with knowledge related to Nickname Updates, a characteristic that permits customers to share customized contact info.
The method makes use of a mutable knowledge container when broadcasting the updates to different elements of the system, and the container could possibly be modified whereas being accessed by different processes, making a race situation that would set off a use-after-free reminiscence corruption flaw.
In line with iVerify, probably the most regarding facet of the safety defect is the truth that it may be triggered with out person interplay, by sending “repeated, rapid-fire nickname updates to iMessage”.
The underlying safety defect, iVerify notes, was seen in units operating iOS variations as much as 18.1.1, and was resolved within the iOS 18.3.1 launch earlier this yr.Commercial. Scroll to proceed studying.
The safety agency’s investigation uncovered the presence of crashes associated to Nickname Updates solely on the units of people probably focused by refined menace actors and believes that it may need been used as half of a bigger exploit chain resulting in system compromise.
On iPhones on which the Nickname vulnerability was possible exploited, iVerify discovered that directories associated to SMS attachments and message metadata had been modified and emptied 20 seconds after the ‘imagent’ course of crashed, a sample of clean-up exercise sometimes related to confirmed spy ware assaults.
“Whereas no smoking gun definitively proving exploitation exists, when taken collectively, this physique of proof offers us average confidence these crashes point out focused exploitation makes an attempt,” iVerify notes, including that circumstantial proof hyperlinks the potential assaults to Chinese language hackers.
SecurityWeek has emailed Apple for an announcement on iVerify’s findings and can replace this text if the corporate responds.
Associated: Apple Patches Main Safety Flaws in iOS, macOS Platforms
Associated: AirPlay Vulnerabilities Expose Apple Units to Zero-Click on Takeover
Associated: Apple Quashes Two Zero-Days With iOS, MacOS Patches
