Last week’s significant hack of iPhones also targeted Android smartphones and Windows computers, it has been reported.
Google dropped hints about nation-state involvement in its announcement, but a separate report that Windows and Android devices were also on the target list offers a new twist to the story.
If correct, the inclusion of Windows and Android shouldn’t be surprising – it makes sense when targeting specific groups of people through a small group of websites to target as many computing devices as possible so as not to miss anyone.
Of course, none of this can currently be verified. For now, these are simply unnamed sources talking to a few journalists, offering information that might never be confirmed.
Indeed, the fact that it is being taken seriously at all is partly down to the fact that the companies involved – Google, Microsoft, Apple – seem unwilling to deny any of it.
However, another way of understanding this story is to point out that the who and why is less important than the how.
Underscoring this is that Google’s original report mentions that unintended victims were also caught up in the attacks, which implies that anyone could be a victim of a future campaign.
Victims were reportedly infected with spyware by persuading them to open a malicious link – a generic but effective tactic.
Reportedly, the infected domains were indexed by Google search (perfectly normal if the domain is not known to be malevolent), which prompted the FBI to ask the company to delist them.
The first issue is what has been done for the victims, both those targeted and those infected as collateral damage.
The campaign was discovered early in 2019 and the iPhone vulnerabilities involved are known to have been fixed since then and Apple’s process for deploying patches is well oiled. If Android or Windows devices were involved though, the patching timeline becomes less certain because updates might be optional and slow to appear.