TrendPulse Logo

Apple made strides with iOS 26 security, but leaked hacking tools still leave millions exposed to spyware attacks

Source: TechCrunchView Original
technologyMarch 26, 2026

The common assumption among iPhone security experts has been that finding vulnerabilities and developing exploits for iOS was difficult, requiring a lot of time, resources, and teams of skilled researchers to break through its layers of security defenses. That meant iPhone spyware and zero-day vulnerabilities, which aren’t known to the software vendor before they are exploited, were rare and only used in limited and targeted attacks, as Apple itself says.

But in the last month, cybersecurity researchers at Google, iVerify, and Lookout have documented several broad-scale hacking campaigns using tools, known as Coruna and DarkSword, which have been near-indiscriminately targeting victims around the world who are not yet running Apple’s most up-to-date software. Some of the hackers behind these attacks include Russian spies and Chinese cybercriminals, and target their victims via hacked websites or fake pages, allowing them to potentially steal phone data from a large number of victims.

Now, some of these tools have leaked online, allowing anyone to take the code and easily launch their own attacks against Apple users running older versions of iOS.

Apple has invested significant resources in new security and development technologies, such as introducing memory-safe code for its latest iPhone models, and launching features like Lockdown Mode specifically to counter potential spyware attacks. The goal has been to make modern iPhones more secure, and to strengthen the claim that the iPhone is very hard to hack.

But there are still a lot of older, out-of-date iPhones that are now easier targets for spyware-wielding spies and cybercriminals.

There are now essentially two security classes of iPhone users.

Users on the latest iOS 26 running on the most recent iPhone 17 models released in 2025 have a new security feature called Memory Integrity Enforcement, which is designed to stop memory corruption bugs, some of the most commonly exploited flaws used in spyware and phone unlocking attacks. DarkSword relied heavily on memory corruption bugs, according to Google.

Then, there are iPhone users who still run the previous version of Apple’s mobile software, iOS 18, or even older versions, which have been vulnerable to memory-based hacks and other exploits in the past.

Contact Us

Do you have more information about DarkSword, Coruna, or other government hacking and spyware tools? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or by email.

The discovery of Coruna and DarkSword suggest that memory-based attacks could continue to plague users of older iPhones and iPads that lag behind the newer, more memory-safe models.

Experts working for iVerify and Lookout, two cybersecurity companies that have a commercial stake in selling security products for mobile devices, say Coruna and DarkSword may also challenge the long-held assumption that iPhone hacks are rare.

iVerify’s co-founder Matthias Frielingsdorf told TechCrunch that mobile attacks are now “widespread,” but he also said that attacks relying on zero-days against the most up-to-date software “will always be charged at a premium rate,” implying that these will not be used to hack people on a broad scale.

Patrick Wardle, an Apple security expert, said one problem is that people call attacks against iPhones rare or sophisticated just because they are seldom documented. But the reality, he said, is that these attacks may be out there but are not always caught.

“Calling them ‘highly advanced’ is a bit like calling tanks or missiles advanced,” Wardle told TechCrunch. “It’s true, but it misses the point. That’s simply the baseline capability at that level, and all (most) nations have them (or can acquire them for the right price).”

Another problem highlighted by Coruna and DarkSword is that there is now an apparently thriving “second-hand” market, which creates the financial incentive “for exploit developers and individual brokers to essentially get paid twice for the same exploit,” according to Justin Albrecht, principal researcher at Lookout.

Especially when the initial exploit gets patched, it makes sense for brokers to resell it before everyone updates.

“This isn’t a one-time event, but rather a sign of things to come,” Albrecht told TechCrunch.

Topics

Apple, China, Coruna, cybersecurity, Darksword, Google, hackers, hacking, iOS, iverify, Lookout, russia, Security, Spyware, Zero-days

Lorenzo Franceschi-Bicchierai

Senior Reporter, Cybersecurity

Lorenzo Franceschi-Bicchierai is a Senior Writer at TechCrunch, where he covers hacking, cybersecurity, surveillance, and privacy.

You can contact or verify outreach from Lorenzo by emailing lorenzo@techcrunch.com, via encrypted message at +1 917 257 1382 on Signal, and @lorenzofb on Keybase/Telegram.

View Bio

April 30

San Francisco, CA

StrictlyVC kicks off the year in SF. Get in the ro

Apple made strides with iOS 26 security, but leaked hacking tools still leave millions exposed to spyware attacks | TrendPulse