iOS 26 Security: Millions Still at Risk From Leaked Spyware Tools

For years, the prevailing belief within the iPhone security community was that exploiting iOS was a formidable challenge. It was thought to require substantial time, resources, and highly skilled teams to penetrate Apple’s robust security defenses. This led to the assumption that iPhone spyware and zero-day vulnerabilities – flaws unknown to Apple – were rare and reserved for targeted attacks, a narrative Apple itself consistently reinforced. However, recent revelations are shattering this perception.

The Rise of Coruna and DarkSword: A New Era of iPhone Hacking

In the past month, cybersecurity researchers at Google, iVerify, and Lookout have documented widespread hacking campaigns leveraging tools known as Coruna and DarkSword. These tools have been indiscriminately targeting users running older, unpatched versions of iOS globally. The attackers behind these campaigns include state-sponsored Russian spies and Chinese cybercriminals, who compromise websites and create fake pages to deliver the spyware, potentially compromising data from a vast number of victims.

The alarming development is that some of these powerful tools have now leaked online. This means anyone can acquire the code and launch their own attacks against Apple users who haven’t updated to the latest iOS version. This democratization of exploit tools significantly lowers the barrier to entry for malicious actors.

Apple’s Security Advancements: A Two-Tiered System

Apple has made significant investments in bolstering iPhone security, introducing memory-safe code for newer models and features like Lockdown Mode specifically designed to counter spyware. These advancements aim to solidify the iPhone’s reputation as a secure device. However, these protections are not universally available.

A clear divide has emerged, creating essentially two classes of iPhone users:

• Modern iPhones (iOS 26 & iPhone 17): Users running the latest iOS 26 on the most recent iPhone 17 models (released in 2025) benefit from a new security feature called Memory Integrity Enforcement. This feature is designed to prevent memory corruption bugs, a common vulnerability exploited by spyware and phone unlocking attacks. Google’s research indicates that DarkSword heavily relied on these types of bugs.
• Older iPhones (iOS 18 & Earlier): Users still operating on previous versions of iOS, such as iOS 18 or older, remain vulnerable to memory-based hacks and other exploits that have been previously identified.

The discovery of Coruna and DarkSword underscores the continued risk faced by users on older devices, highlighting the importance of timely software updates.

Are iPhone Hacks Becoming More Common?

Experts at iVerify and Lookout, both cybersecurity firms specializing in mobile security, suggest that Coruna and DarkSword challenge the long-held assumption that iPhone hacks are rare occurrences.

Matthias Frielingsdorf, co-founder of iVerify, told GearTech that mobile attacks are now “widespread.” However, he also emphasized that zero-day exploits targeting the most up-to-date software “will always be charged at a premium rate,” suggesting they won’t be used for mass-scale attacks.

The Illusion of Sophistication

Patrick Wardle, a renowned Apple security expert, argues that attacks against iPhones are often labeled as “rare” or “sophisticated” simply because they are infrequently documented. He believes the reality is that these attacks may be more prevalent than we realize, but often go undetected.

“Calling them ‘highly advanced’ is a bit like calling tanks or missiles advanced,” Wardle explained to GearTech. “It’s true, but it misses the point. That’s simply the baseline capability at that level, and all (most) nations have them (or can acquire them for the right price).”

The Emerging “Second-Hand” Exploit Market

Coruna and DarkSword have also exposed a thriving “second-hand” market for exploits. This creates a financial incentive for exploit developers and brokers to profit from the same vulnerability multiple times.

Justin Albrecht, principal researcher at Lookout, explains that once an exploit is patched, brokers can resell it before widespread updates occur. “This isn’t a one-time event, but rather a sign of things to come,” Albrecht told GearTech. The ability to monetize exploits even after they’ve been patched encourages continued research and development of hacking tools.

Understanding the Financial Incentives

The existence of this market fundamentally changes the economics of vulnerability research. Instead of relying solely on finding new zero-day exploits, researchers can continue to profit from older vulnerabilities by selling them to different buyers. This creates a continuous supply of tools available to malicious actors.

What Does This Mean for iPhone Users?

The implications of these findings are significant for all iPhone users. Here’s a breakdown of key takeaways:

• Update Immediately: The most crucial step is to ensure your iPhone is running the latest version of iOS. Apple regularly releases security updates that patch vulnerabilities exploited by tools like Coruna and DarkSword.
• Enable Lockdown Mode: For users concerned about targeted attacks, enabling Lockdown Mode provides an extra layer of security, although it may impact some device functionality.
• Be Vigilant About Links and Websites: Avoid clicking on suspicious links or visiting untrusted websites, as these can be used to deliver spyware.
• Understand Your Risk Profile: Individuals who are likely targets of state-sponsored attacks (journalists, activists, political figures) should take extra precautions.

The Future of iOS Security

Apple’s commitment to memory safety and features like Lockdown Mode are positive steps towards enhancing iOS security. However, the emergence of leaked spyware tools and the thriving exploit market demonstrate that the battle is far from over.

The industry needs to focus on several key areas:

• Faster Patching: Reducing the time it takes to release and deploy security updates is critical.
• Improved Exploit Mitigation: Developing more robust exploit mitigation techniques can make it harder for attackers to succeed.
• Increased Transparency: Greater transparency from Apple regarding vulnerabilities and security incidents can help users make informed decisions.

The iOS 26 security landscape is evolving rapidly. Staying informed and taking proactive steps to protect your device is more important than ever. The proliferation of tools like Coruna and DarkSword serves as a stark reminder that even the most secure platforms are not immune to attack.

Contact Us

Do you have more information about DarkSword, Coruna, or other government hacking and spyware tools? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or by email.