Chinese Hacking Crew Exploits iPhones and Google Nexus Devices, Awarded $200,000

Apple’s iPhone and Google’s Nexus 6P, which run iOS and Android – two most widely-used mobile phone platforms in the world have been hacked this week as a part of the Pwn2Own white hat hackers contest.

Organized and run by security firm Trend Micro’s Zero Day Initiative (ZDI) in Japan, the iPhone 6S and the Nexus 6P were hacked by a prominent Chinese hacking crew called Keen Lab, reports chttps://h2.vc/reports/fintechinnovators/2016.

Tencent-owned Keen Lab was able to steal pictures from an Apple iPhone 6S by exploiting two iOS vulnerabilities. For this hack, the hacking outfit were awarded $52,500. Keel Lab also installed a rogue application on the iPhone 6S. While the app did not trigger any malicious deeds following a  reboot – due to a default security configuration setting engineered by Apple – ZDI still bought the bugs used in the exploit for a further $60,000.

Meanwhile, the Nexus 6P, the flagship product of the Android platform until Google’s recently launched Pixel phones, was also exploited successfully. Keen Lab was able to install a malicious app on the device, combining two different bugs along with other unspecified vulnerabilities in Android. The attack was carried out not once, but three times, netting Keen Lab as astonishing sum of $102,500.

Talking about Keen’s findings and exploits, ZDI chief executive Brian Gorenc stated:

These are critical in nature as they allow an attacker to disclose sensitive information or install a malicious application. We’ve seen similar exploits recently used in the wild.

The vulnerabilities were quickly handed over to the relevant companies, Apple and Google. Gorenc added that while work on patches are already underway, it might take months before those patches are released.

Furthermore, Gorenc also revealed an interesting takeaway about the mechanism in which exploits that target the most popular phones in the world, succeed.

All of the exploits were triggered by browsing to a malicious website. From that perspective, it’s relatively simple to trick a user into this scenario. Crafting the exploit itself isn’t trivial and requires months of research and experimentation.

 Image credit: Pixabay.