Apple iOS Malware Targets Crypto Apps on Unpatched iPhones: Google

Google researchers have identified an iOS exploit chain being used in the wild that can be used to deliver malware that specifically targets cryptocurrency apps on vulnerable iPhones.

The exploit, dubbed DarkSword, leverages six vulnerabilities to deploy malware on devices running iOS versions 18.4 through 18.7, according to the research.

Once a user visits a malicious or compromised website with a vulnerable device, the exploit is used to deploy malware, including a JavaScript-based data stealer called Ghostblade that actively seeks out major crypto exchange apps such as Coinbase, Binance, Kraken, Kucoin, OKX, and MEXC.

Ghostblade also hunts for popular crypto wallet applications including Ledger, Trezor, MetaMask, Exodus, Uniswap, Phantom, and Gnosis Safe, while simultaneously exfiltrating SMS and iMessage messages, call history, contacts, Wi-Fi passwords, Safari cookies and browsing history, location data, health data, photos, saved passwords, and message history from Telegram and WhatsApp.

Multiple actors are deploying the exploit, ranging from commercial spyware vendors to state-backed groups, with campaigns observed in Saudi Arabia using a fake Snapchat lookalike, and in Ukraine through compromised websites including a government site.

Ghostblade is designed for quick data theft rather than long-term surveillance—it collects all available data, then deletes its temporary files and terminates itself.

This is the latest in a wave of malware targeting crypto users, including the Inferno Drainer malware that stole some $9 million from crypto users over a six-month period last year, and a campaign that saw counterfeit Android smartphones pre-loaded with crypto-stealing malware.