Apple Mail for iPhone may be vulnerable to malware attacks (updated)

Attacks may have started two years ago, although evidence is scarce.

Jaap Arriens/NurPhoto via Getty Images

The default email app on iPhones and iPads might be vulnerable to surreptitious malware attacks, at least if you ask a security research firm. ZecOps briefed the Wall Street Journal on a claimed vulnerability in Mail that lets attackers infect your device with malware without input — you wouldn’t have to tap a link or download a file. It’s “virtually undetectable” for users, the security firm said. While researchers didn’t explain exactly how the attack would work, it wold involve sending a specially designed message.

The exploit may have been use for a while. ZecOps said it had evidence attackers had used the flaw for at least two years. There had been at least six targets, including staff at a Japanese telecom, a “large North American firm,” tech companies in Israel and Saudi Arabia, a German individual and a European journalist.

The problem, though, is that evidence is relatively difficult to find. ZecOps found its evidence through hints in iOS, and couldn’t obtain the malware as the messages had already been deleted. Jamf Software security researcher Patrick Wardle also told the WSJ that the evidence of ongoing attacks was “compelling,” but not authoritative.

We’ve asked Apple for comment. The investigators believe Apple has fixed the flaw in an iOS beta (presumably 13.4.5), though, so it may not be an issue for long. If the findings are accurate, though, they suggest that a patch is coming long after hackers dealt their damage — however limited it might have been.

Update 4/24 3PM ET: Apple tells Engadget that it has studied the issue and doesn’t believe it poses an “immediate risk” to users as they are “insufficient to bypass” security measures. There’s also “no evidence” it has been used against customers despite ZecOps’ claims, Apple said. Nonetheless, a fix will be coming “soon.” You can read the full statement below.

“Apple takes all reports of security threats seriously. We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers. These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance.”