Google Discloses Apple WebKit Vulnerability: Affects iOS 13~17.2.1, Approximately 42,000 iPhones Become "ATMs"

K-LinePoet · 2026-03-23T00:07:18+00:00

Google published a blog post indicating that an iPhone jailbreak toolkit named Coruna can affect iOS versions 13 through 17.2.1 and has been exploited by spies and cybercriminals. The toolkit contains multiple exploit techniques and has triggered attacks targeting cryptocurrency and private data. Google recommends users update to the latest iOS version to reduce risk.

K-LinePoet

2026-03-23 00:07:18

Abstract generation in progress

Google announced today (March 4) that it has released a blog post revealing a jailbreak toolkit codenamed Coruna for iPhones, which can affect models running iOS 13 to 17.2.1. Evidence indicates that this toolkit has already fallen into the hands of foreign spies and cybercriminals.

Google states that the Coruna toolkit is currently effective only on iOS versions 13.0 (released September 2019) through 17.2.1 (released December 2023), and Apple has patched the vulnerabilities in iOS 18.

The Coruna toolkit includes five complete iOS exploit chains, totaling 23 exploits. Its core value lies in integrating multiple undisclosed exploit techniques and bypass measures.

According to a blog post cited by IT Home, the Google Threat Intelligence Group (GTIG) discovered the following:

The toolkit was first detected in early 2025, used in targeted attacks.
In summer 2025, evidence showed that the espionage group UNC6353 used the toolkit to launch “watering hole” attacks by embedding malicious code into compromised websites via covert iFrames.
By the end of 2025, UNC6691 deployed the same toolkit in large-scale operations, creating numerous fake websites related to finance and cryptocurrency trading to lure users into visiting with iOS devices, exploiting vulnerabilities to steal assets.

Technically, the Coruna toolkit uses JavaScript frameworks for device fingerprinting, then delivers WebKit remote code execution (RCE) exploits and pointer authentication code (PAC) bypass attacks.

The final payload, called “PlasmaLoader” (tracked by GTIG as PLASMAGRID), injects into system processes and scans devices for cryptocurrency wallet apps (such as MetaMask, Trust Wallet), stealing mnemonics and private keys.

Data shows that approximately 42,000 devices have been compromised in profit-driven attacks, used to steal cryptocurrencies and private data. Code analysis indicates that the core development is highly professional, likely by a single author.

In response to this threat, Google has added all related websites and domains to the “Safe Browsing” blocklist. GTIG emphasizes that the Coruna toolkit cannot breach the latest versions of iOS. Therefore, iPhone users should immediately update their devices to the latest iOS version to eliminate the risk.

View Original

This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.

1 Likes