Introducing the TIME Earth Awards | 2026View More
Hundreds of millions of iPhone users could be susceptible to hackers using a new malware tool called DarkSword if they have not recently updated their software, according to cyber-security researchers.
An investigation by Google and cybersecurity firms Lookout and iVerify found that hackers––many operating from China and Russia––have been using the tool to extract information from iPhones operating on certain older versions of iOS.
Researchers from the three companies observed DarkSword attacks targeting iPhone users in Ukraine, China, Saudi Arabia, Turkey, and Malaysia. They did not report any hacks on American targets.
“This is a pretty significant threat,” Damon McCoy, a professor and co-director of the Center for Cyber Security at New York University, tells TIME. “There’s still probably quite a few people that are still running this outdated version of iOS, and those people are quite vulnerable.”
Here’s what to know about DarkSword and how to protect yourself from a potential hack.
What is DarkSword, and how can it be used to hack iPhones?
DarkSword, according to researchers, is an exploit chain—a type of cyberattack in which a hacker uses multiple software vulnerabilities to infiltrate a user’s device and pull information from it. These combined exploits allow hackers to attack a device via multiple entry points, making them harder to defend against.
The Google Threat Intelligence Group said in a report released on Wednesday that DarkSword “uses six different vulnerabilities to fully compromise a vulnerable iOS device.”
Advertisement
Lookout, which published its findings in coordination with Google, said DarkSword uses such vulnerabilities to gain higher-level permissions and privileges in a phone’s systems in order to “access sensitive information and exfiltrate it off the device.”
Lookout found that hacks using DarkSword start with web browser Safari before moving into other phone systems. The exploit tool employs a “hit-and-run” tactic, the cybersecurity company explained, extracting information within seconds or, “at most,” minutes before cleaning up the data it collected and exiting.
McCoy tells TIME the attacks made through web browsers are called “drive-by downloads,” during which a user need only click on a link, rather than make a download to their device, in order for a hacker to gain access to their information.
Among the websites researchers identified as being used in DarkSword attacks was one with a gov.ua address, according to iVerify, which the company noted indicates that the Ukrainian government’s server had been compromised. In another instance, Google found that hackers targeted Saudi Arabian iPhone users through a website disguised to resemble the social media and messaging app Snapchat.
Advertisement
“DarkSword appears to be a surveillance and intelligence gathering tool, blanket pulling data including Wi-Fi passwords, text messages, call history, root location history, browser history, SIM card and cellular data as well as health, notes and calendar databases, though it does also look for crypto wallets,” iVerify said in a news release on Wednesday.
It has been used since “at least” November 2025 by “multiple commercial surveillance vendors and suspected state-sponsored actors” to exploit millions of targets, according to Google.
Which iPhones could be at risk?
iPhones operating on iOS versions 18.4 to 18.7 are potentially vulnerable to hacks using DarkSword, according to researchers.
That includes an estimated 270 million devices around the world, iVerify said.
How can you protect your phone?
Apple highlighted a support page published on Thursday to TIME that instructs users on how to protect their iPhones from web attacks.
Advertisement
“Keeping software up to date remains the single most important thing users can do to maintain the high security of their Apple devices,” Apple spokesperson Sarah O’Rourke said in a statement to news outlets following the release of the researchers’ findings.
The first step users should take is updating their software to the latest version, iOS 26, which will protect users from such attacks, the support page says.
Google said that “all vulnerabilities were patched with the release of iOS 26.3 (although most were patched prior).”
The company also released updates for iOS 15 and 16 in March 2026 to extend protections to users with older iPhone models. If users have devices running iOS 13 or 14, they must update their software to iOS 15 to receive protections from malware attacks.
If iPhone users are unable to update their devices, Apple advises enabling “Lockdown Mode,” which it describes as “an optional, extreme protection that’s designed for the very few individuals who, because of who they are or what they do, might be personally targeted by some of the most sophisticated digital threats.”
Advertisement
Google noted it has added domains identified as being involved in DarkSword attacks to its Safe Browsing service. The company also advised that iPhone users update their devices to the latest version of iOS or enable Lockdown Mode “for enhanced security” in cases in which updating is not possible.
