Security researchers at Google said they found malicious websites that served iPhone exploits for almost three years.
The attacks weren’t aimed at particular iOS users, as most iOS exploits tend to be used, but were aimed at any user accessing these sites via an iPhone.
“There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” said Ian Beer, a member of Google Project Zero, Google’s elite security team.
The exploits also didn’t require any user interaction to trigger. Google said the first website to host any of the exploits went live on September 13, 2016. The websites appeared to have been hacked, and the exploits planted by a third-party, rather than the site owner.