Apple has made big strides in iOS 26 security, but leaked hacking tools still leave millions vulnerable to spyware attacks

A common assumption among iPhone security experts was that finding vulnerabilities and developing exploits for iOS was difficult, requiring a lot of time, resources, and teams of skilled researchers to penetrate layers of security defenses. This meant that iPhone spyware and sub-zero vulnerabilities, which the software vendor did not know about before exploiting them, were rare and only used in limited, targeted attacks, as Apple itself says.

But last month, cybersecurity researchers at Google, iVerify, and Lookout documented several large-scale hacking campaigns using tools known as Coruna and DarkSword, which were almost indiscriminately targeting victims around the world who were not yet using Apple’s latest software. The hackers behind these attacks include Russian spies and Chinese cybercriminals, and they target their victims via hacked websites or fake pages, allowing them to steal phone data from a large number of victims.

Now, some of these tools have leaked online, allowing anyone to take the code and easily launch their own attacks against Apple users running older versions of iOS.

Apple has invested significant resources in new security and development technologies, such as introducing memory-secure code for the latest iPhone models, and launching features such as Lockdown Mode specifically to counter potential spyware attacks. The goal was to make modern iPhones more secure, and reinforce the claim that the iPhone is very difficult to hack.

But there are still plenty of older iPhones out there that are now easier targets for spies and cybercriminals using spyware.

There are now two basic security categories for iPhone users.

Users of the latest iOS 26 running on the latest iPhone 17 models released in 2025 have a new security feature called Memory Integrity Enforcement, which is designed to stop memory corruption errors, one of the most commonly exploited flaws used in spyware attacks and phone unlocking. DarkSword relied heavily on memory corruption bugs, according to Google.

Then, there are iPhone users who are still running the previous version of Apple’s mobile software, iOS 18, or even older versions, which were vulnerable to memory-based hacks and other exploits in the past.

The Coruna and DarkSword discovery suggests that memory-based attacks could continue to infect users of older iPhones and iPads that lag behind newer, more memory-secure models.

Experts at iVerify and Lookout, two cybersecurity companies with a commercial stake in selling mobile security products, say Coruna and DarkSword may also challenge the long-held assumption that iPhone hacks are rare.

iVerify co-founder Matthias Frelingsdorff told TechCrunch that attacks on mobile devices are now “widespread,” but he also said that zero-day attacks against the latest software “will always have high prices,” implying that they will not be used to hack people on a large scale.

One problem is that people describe attacks against iPhones as rare or sophisticated simply because they are rarely documented, said Patrick Wardle, a security expert at Apple. But he said the reality is that these attacks may exist but are not always detected.

“Calling it ‘highly advanced’ is a bit like calling tanks or advanced missiles,” Wardle told TechCrunch. “This is true, but it misses the point. This is simply the basic capability at this level, and all (most) countries have it (or can get it at the right price).”

Another issue highlighted by Coruna and DarkSword is that there is now a seemingly thriving “second-hand” market, creating a financial incentive for “individual exploit developers and middlemen to get paid twice for the same exploit,” according to Justin Albrecht, principal researcher at Lookout.

Especially when the initial vulnerability is patched, it makes sense for brokers to resell it before everyone else updates.

“This is not a one-time event, but rather a sign of things to come,” Albrecht told TechCrunch.