Hackers have been using malicious software to harvest photos and contacts from iPhones for years, researchers at Google have claimed, potentially affecting millions of people.
The monitoring – which gathers images and other information from iPhones which have visited compromised websites – is said to have affected devices running operating systems from iOS 10, released in 2016, to iOS 12.
Apps including Instagram, WhatsApp and Gmail would have been vulnerable to being accessed, potentially exposing personal data, on handsets hit by the so-called “monitoring implants”.
Project Zero, a team of security researchers at Google, said most of the security flaws were found within Safari, the default web browser on Apple devices, with the hacked sites having received thousands of visitors a week.
In a blog post, Project Zero expert Ian Beer said: “There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, to install a monitoring implant.”
Although the implant is not saved on the device itself, it is capable of providing hackers with access whenever the owner visits a compromised website, Mr Beer said.
But while they would only have had access to the phone during those visits, hackers may have ended up with persistent access to other accounts and services by using stolen authentication tokens from the keychain – where the iPhone stores passwords and other login information.
Google, which has previously exposed a number of flaws within the iPhone app iMessage, said it reported the issues to Apple on 1 February, prompting Apple to release a software update six days later.
Apple told Sky News it did not want to comment specifically on Google’s claim.
However, the tech firm advised iPhone users to keep software up to date, describing it as “one of the most important things you can do to maintain your Apple product’s security”.
The findings from Project Zero were made public on the day Apple unveiled a date for what is widely expected to be the announcement of its next iPhone range.
Journalists and tech bloggers have been invited to an event at the Steve Jobs Theatre in California on 10 September, where new “pro” models of the iPhone have been tipped to be revealed.
Apple may also dedicate a chunk of time at the presentation to its commitment to privacy, having said this week that it will now allow users to opt out of having their interactions with Siri recorded.
The move followed claims regarding the use of human contractors to listen to audio samples, with one former worker saying they “regularly” overheard confidential encounters, including drug deals and people having sex.