Google has found a “powerful” set of tools that are being used to break into iPhones.
The suite of exploits, known as ‘Coruna’, has been passed around cyber attacks online, and appears to have been used by everyone from governments to criminals looking to steal money, Google said.
An attack starts with just clicking a malicious link, the company said. From there, the tools can be used to get around an iPhone’s defences and break into central parts of the phone.
It can be started in five different ways and uses some 23 different vulnerabilities, strung together, to break into a device.
It is unclear where the tools began their life, and Google researchers called the attack “mysterious”. Mobile security company iVerify suggested that it had evidence that it might have started as a US government tool that was then leaked more broadly.
But they have since been passed around between various attackers around the world – used in suspected government attacks on Ukrainian users as well as by Chinese scammers looking to steal money – in a way that suggests there is an “active market” for “second-hand” exploits, Google said.
It was first spotted in February 2025 but has been used on various websites since, researchers said. A host of Chinese websites largely focused on finance were found to be using the attack, hoping that visitors would click on a malicious link and then allow the exploit into their phone.
It affects iPhones are that are running iOS numbers between 13 and 17.2.1, which was first released in December 2023. Updating Apple devices to the latest software should therefore protect them from the attack.
