Researchers at Include Security have shown how a software kit made by Bright Data, embedded inside free apps on Samsung, LG, and Roku smart TVs, quietly turns those always-on devices into relays for someone else's web-scraping traffic. Users opt in through a consent screen buried in the TV's menu, then their home internet connection is used to fetch web pages for Bright Data's paying customers, many of them AI firms. The researchers found the control channel barely checks who is issuing commands, weaker than many malware families, and on iPhones the traffic even slips past VPNs and normal monitoring tools.
Italian digital forensics firm Forenser has documented an active zero-click WhatsApp account-takeover campaign targeting iPhone users on iOS 16. Victims (iPhone 8 through 14) reported messages requesting wire transfers being sent from their accounts to recent contacts, with no Linked Devices entries and no QR code interaction. Unified-log analysis shows continuous WhatsApp session-resync events - the signature of two endpoints competing for the same account, with the attacker bypassing the standard linked-device registration. The campaign exploits known iOS 16 vulnerabilities. Affected users do not see archived chats, suggesting the attacker has only recent-chat access. Forenser recommends upgrading to iOS 17 or later.
Kaspersky identified 26 malicious iOS apps live on the Apple App Store impersonating major cryptocurrency wallets including MetaMask, Coinbase, Trust Wallet, Ledger, TokenPocket, imToken, Bitpie, and OneKey. The campaign, named FakeWallet and linked to the SparkKitty operation, has been running since fall 2025. The apps used typosquatted names, cloned icons, and stub functionality (games, calculators, task planners) to pass App Store review. Some embed compromised viewDidLoad routines that scan the screen for mnemonic words as the user types and exfiltrate seed phrases via RSA-encrypted payloads. Apple removed 25 of the 26 after disclosure; the developer behind the 26th was terminated.
Apple released out-of-band iOS and iPadOS updates to fix a Notification Services flaw that kept notifications marked for deletion sitting in internal storage, where they could be pulled off the device later. The bug (CVE-2026-28950) landed after 404 Media reported that the FBI recovered Signal messages from a suspect's iPhone even after the user deleted them and even after Signal itself was uninstalled. The recovered text did not come from Signal's encrypted message store - it came from iPhone's internal notification buffer, which silently preserved incoming notification contents that the app and the OS both thought had been erased. Apple's advisory does not name the FBI case but describes exactly the data-persistence behavior 404 Media documented. Signal's team publicly thanked Apple for the fix. Beyond Signal users, this flaw matters for anyone who assumed that deleting a message or uninstalling an app wiped the underlying notification data from the phone - it did not. Forensic extraction of an unlocked iPhone could have surfaced any sensitive content ever pushed as a notification.
In an unusual move, Apple expanded iOS 18.7.7 to cover far more devices on April 1 - breaking its normal practice of using security updates to push users to the newest OS. Around 20% of iPhones remain on iOS 18 (some by choice, some because they can't run iOS 26), and Apple now considers the DarkSword threat serious enough to backport protections rather than leave those users exposed. The update covers iPhone XR through iPhone 16e and multiple iPad generations. Devices with Automatic Updates enabled get it without user action.
The leaked DarkSword iOS exploit kit is already being weaponized. Proofpoint attributes a new spear-phishing campaign to TA446 (also known as COLDRIVER/Star Blizzard), a Russian FSB-linked group that has never previously targeted Apple devices. The emails spoof Atlantic Council discussion invitations and redirect iPhone users to the exploit kit, which deploys the GHOSTBLADE dataminer. Proofpoint warns the targeting is unusually broad - hitting government, finance, legal, and education sectors.
A government-grade iPhone hacking toolkit called DarkSword was leaked on GitHub on March 23 - and researchers say it's trivially easy to use. Written entirely in HTML and JavaScript, anyone can host it and hack iPhones running iOS 18.4 through 18.7.1. It chains six vulnerabilities including three zero-days for full device takeover, stealing messages, location data, and crypto wallets. Roughly a quarter of all iPhones remain on vulnerable versions.