Kaspersky, the Russian security giant, recently found a large security hole in iOS — and promptly told Apple so that the firm could receive the bounty that large companies often get for finding vulnerabilities.
Apple, on the other hand, apparently has other ideas. Upon being told of the vulnerability, Apple has refused to pay the usually requisite bounty, leaving Kaspersky without the fee it usually passes on to charities.
- iPhone deals: Verizon | AT&T | Mint Mobile
No bounty?
Reported by Russian outlet RTVI, Kaspersky found “zero-day, zero-click vulnerabilities, transferred all the information to Apple, and did a useful job. Essentially, we reported a vulnerability to them, for which they must pay a bug bounty”. That bounty would normally be paid, according to Kaspersky, to charity.
The issue seems related to a previous Kaspersky find, which saw the security team publish a report on the “discovery of the ‘most sophisticated cyberattack’ on iOS, the purpose of which was to silently introduce spyware into the iPhone.” This was a security attack that could infect any iPhone. Users needn’t even click the contents of the related infected message they would be sent— merely getting the message into an inbox would infect a device, with an attachment opening itself and spreading the malicious code around the device.
According to Kaspersky, the attack is all about data gathering. “Collection of any information from devices: geolocation, cameras, microphones, files, contacts. In general, all the data that can be represented on the device. This was definitely not a financially motivated cyber attack.” It’s that last bit that’s so interesting — the attack isn’t interested in how you pay for things, only your information.
Currently, Kaspersky says that it found the security issue on staff iPhones, “both top management and middle managers.” While it seems like a targeted attack on one company, it’s still worth saying that being cautious remains key to your iPhone security.
Why isn’t Apple paying up?
As for the lack of bounty payment, that is anyone's best guess. 9to5 Mac points out that as a Russian company, Kaspersky could well be affected by sanctions on the country with the continuing war on Ukraine — although this is speculation on the part of the author.
Thanks to that lack of bounty payment Kaspersky says that it is now moving its focus away from iOS and towards the rival Android platform instead. “All employees of the company are now being issued corporate mobile devices on Android as planned, step by step. We left iOS not because it is less secure, but because we, as a security vendor, want to have more control over the security of devices” the firm explains — and really, can you blame it?
