Google Cybersecurity Team Issues Urgent iPhone Update Warning
Google cybersecurity researchers are issuing an urgent warning to iPhone users worldwide, advising them to update their devices to the latest version of iOS immediately. This critical alert follows the discovery of a sophisticated exploit kit called Coruna by the Google Threat Intelligence Group (GTIG), which targets multiple older iPhone software versions.
Dangerous Exploit Kit Targets Older iOS Versions
The Google Threat Intelligence Group has identified the Coruna exploit kit as a significant security threat capable of compromising iPhones running iOS 13 through iOS 17.2.1. This toolkit contains multiple vulnerabilities that malicious actors can exploit to gain complete control over devices and extract sensitive personal information.
According to Google's findings, the Coruna exploit kit does not function on the most recent iOS version, making immediate software updates the most effective defense against potential attacks. The warning comes at a time when heightened geopolitical tensions, particularly in the Middle East, have raised concerns about the potential use of cyber tools for targeted surveillance and espionage operations.
Technical Details of the Coruna Exploit Kit
In a comprehensive technical report, GTIG researchers revealed that the Coruna exploit kit contains five complete exploit chains and twenty-three separate exploits designed to compromise various iOS versions. The toolkit employs a sophisticated combination of browser-based vulnerabilities and system-level exploits to infiltrate devices.
The attack methodology typically begins when an iPhone user visits a malicious or compromised website. A hidden script then identifies the specific device type and iOS version running on the target device. Based on this reconnaissance, the system delivers a tailored exploit specifically designed to work on that particular configuration.
One particularly concerning vulnerability used in these attacks, identified as CVE-2024-23222, was a zero-day exploit before Apple addressed it in iOS 17.3. Google researchers noted that the exploit toolkit appears to have circulated among multiple threat actors over an extended period, suggesting an active market for reused or resold cyber-espionage tools.
Historical Usage and Threat Actor Connections
Researchers first identified components of the exploit chain in February 2025, when it was being utilized by a customer of a commercial surveillance vendor. Later that same year, the identical toolkit appeared in attacks targeting Ukrainian users, which investigators linked to a suspected Russian espionage group known as UNC6353.
By late 2025, the Coruna exploit kit was also observed in campaigns conducted by a financially motivated threat actor operating from China, tracked by Google as UNC6691. In these instances, attackers delivered the exploits through deceptive financial and cryptocurrency websites specifically designed to lure iPhone users.
How Attackers Exploit the Vulnerability to Steal Financial Data
According to the GTIG report, once the exploit chain successfully compromises a device, it deploys a program called PlasmaLoader that enables attackers to collect sensitive information systematically. The malware was specifically engineered to search for financial data and cryptocurrency wallet information stored on infected devices.
The malicious software can scan notes, images, and text files for specific keywords such as "backup phrase" or "bank account," then transmit this sensitive information to servers controlled by attackers. The malware also includes specialized modules capable of extracting data from several popular cryptocurrency wallet applications, including:
- MetaMask
- Trust Wallet
- Phantom
- Exodus
- Uniswap
Protection Recommendations for iPhone Users
Google emphasizes that the Coruna exploit kit cannot compromise devices running the latest iOS version, making software updates one of the simplest and most effective protective measures available to users. "The Coruna exploit kit is not effective against the latest version of iOS, and iPhone users are strongly urged to update their devices to the latest version," stated the Google Threat Intelligence Group in its official report.
For users who cannot update their devices immediately, researchers recommend enabling Lockdown Mode, a specialized security feature designed to reduce exposure to targeted attacks by limiting certain device functionalities. Google's discovery highlights how advanced cyber tools can transfer between different actors, including surveillance companies, espionage groups, and financially motivated attackers.
The company explained that sharing research about these exploit kits aims to raise awareness and encourage stronger security practices throughout the technology industry. For everyday iPhone users, researchers maintain that the advice remains straightforward: keep devices updated regularly, avoid suspicious websites, and enable additional security protections whenever possible.
