Google Raises Alarm Over Sophisticated Cyber-Attack Tool Targeting iPhone Users

 

In a significant development within the cybersecurity domain, researchers from Google have unveiled the presence of a powerful cyber-attack tool, ominously named "Coruna," specifically engineered to compromise older versions of the Apple iPhone's operating system. This exploit kit aims to pilfer sensitive cryptocurrency wallet information, thereby posing a serious threat to iOS users across the globe.

 

Understanding the Vulnerability Spectrum: iOS Versions at Risk

 

The Google Threat Intelligence Group (GTIG) revealed that the Coruna exploit kit is capable of assaulting iOS versions ranging from 13.0 to 17.2.1, spanning releases from 2019 to 2023. The researchers' detailed findings, outlined in a report released in March 2026, underscore the kit's capacity to deploy five complete iOS exploit chains and exploit 23 distinct vulnerabilities, some of which were previously undisclosed to the public eye.

 

A Deceptive Entry: How Coruna Operates

 

Coruna's primary mode of attack involves clandestine deployment through fraudulent cryptocurrency websites. When unsuspecting users accessed these sites using vulnerable iPhones, the hidden malicious code seized the opportunity to scrutinize device information and launch bespoke attacks crafted to exfiltrate financial data. The exploit's modus operandi includes probing for cryptocurrency wallet seed phrases and scanning communications for terms like "backup phrase" or "bank account." Notably, the exploit targets popular crypto applications such as MetaMask and Uniswap.

 

Tracing Coruna's Origin and Spread: An Ongoing Investigation

 

The journey of Coruna began in February 2025 when Google researchers first documented its utilization by a surveillance vendor attempting to breach mobile devices. By later that year, the exploit's presence was detected on compromised Ukrainian websites, strategically targeting selected iPhone users based on geographic location. As the calendar turned to December 2025, a growing number of fake finance-related websites surfaced with the embedded exploit, believed to be linked to nefarious operations by Chinese cybercriminals. Intriguingly, one such site masqueraded as a cryptocurrency trading platform to bait user engagement.

 

The Intricacies of Building Coruna: A Resource-Intensive Effort

 

While it remains uncertain how Coruna transcended its initial sphere of influence, Google speculates an active marketplace for pre-existing hacking apparatus may have facilitated its wider distribution. iVerify, a notable security company, has emphasized the sophistication of Coruna's development, implying significant financial investment and expertise. The co-founder, Rocky Cole, highlighted parallels between this tool and other modules reportedly developed by the US government.

 

Safeguarding Against Coruna: Immediate Steps for Users

 

Importantly, Google assures that devices operating on the latest iOS versions remain immune to the Coruna exploit. As a precaution, iPhone users worldwide are encouraged to promptly update their systems to enhance protection. Furthermore, individuals susceptible to elevated cyber risks should consider activating Apple's "Lockdown Mode," an added security layer designed to curb potential attack vectors on mobile platforms.

 

A Global Wake-Up Call: The Cybersecurity Imperative

 

With cryptocurrency usage on a global uptick, the insights from Google's report serve as a critical reminder of the persistent and evolving threats in the digital landscape. Markets with vigorous cryptocurrency engagement, such as Nigeria, remain particularly vulnerable to criminal tactics involving counterfeit investment platforms or phishing websites. By staying informed and taking proactive security measures, users can fortify their defenses against such sophisticated cyber onslaughts.