The iPhone Exploit Chain Google Just Exposed — and Why Millions of Older Devices Remain at Risk

Google's Threat Analysis Group has disclosed a three-stage exploit chain targeting older iPhones running outdated iOS versions, exposing tens of millions of devices to potential surveillance. The findings highlight growing risks for users whose hardware can no longer receive Apple's latest security patches.
The iPhone Exploit Chain Google Just Exposed — and Why Millions of Older Devices Remain at Risk
Written by Sara Donnelly

Google’s Threat Analysis Group has disclosed yet another sophisticated exploit chain targeting iPhones running older versions of iOS, a revelation that underscores the persistent vulnerability of devices that haven’t received — or can’t receive — the latest security patches from Apple. The findings, first reported by 9to5Mac, detail a multi-stage attack that could give adversaries complete control over affected handsets, from initial code execution in the browser to full kernel-level access.

This isn’t a theoretical exercise. The exploits were found in the wild.

According to Google’s disclosure, the attack chain begins with a WebKit vulnerability — the rendering engine that powers Safari and every other browser on iOS. A victim needs only to visit a malicious or compromised website. No clicks required beyond that initial navigation. From there, the exploit escalates privileges through a sandbox escape and ultimately reaches the kernel, the most privileged layer of the operating system. Once an attacker achieves kernel access, the device is effectively theirs: they can install surveillance tools, exfiltrate data, intercept communications, and persist through reboots in some configurations.

The specific vulnerabilities chained together in this attack affect iOS versions prior to 16.7.1, meaning any iPhone stuck on iOS 15 or earlier — whether by user neglect or hardware limitation — is a potential target. Apple dropped security support for the iPhone 7 and earlier models when iOS 16 launched, and those devices have received only sporadic emergency patches since. The iPhone 8 and iPhone X can run iOS 16 but are now approaching their own end-of-life horizon. That leaves tens of millions of active devices worldwide in a precarious position.

Google’s Threat Analysis Group, known internally as TAG, has become one of the most prolific discoverers of zero-day and n-day exploit chains targeting Apple’s mobile platform. The team, led by researchers including Maddie Stone and Clément Lecigne, has a mandate to track government-backed hacking operations and the commercial spyware vendors that supply them. Their track record speaks volumes. In 2023 alone, TAG disclosed multiple exploit chains used by surveillance companies like Intellexa and NSO Group. The pattern has continued into 2024, 2025, and now 2026.

What makes this latest disclosure particularly notable is the target profile. Previous high-profile iPhone exploits — the kind deployed by NSO Group’s Pegasus spyware — typically targeted the newest iOS versions and the latest hardware. Those zero-day chains commanded prices north of $2 million on the gray market. But this chain targets older software. That’s a different calculus entirely.

Cheaper. More accessible. And aimed at a population of users who are disproportionately located in developing nations, where older iPhones circulate longer in secondary markets.

Security researchers have warned for years about the growing bifurcation in mobile device security. Users with the latest hardware and software receive rapid patches, sometimes within days of a vulnerability’s discovery. Users on older devices don’t. Apple has made efforts to backport critical fixes — it pushed emergency patches to iOS 15 as recently as late 2025 for a handful of actively exploited vulnerabilities — but the coverage is inconsistent. Some bugs get backported. Many don’t. And the criteria Apple uses to decide which fixes reach legacy devices remain opaque.

Google’s TAG team didn’t attribute this particular exploit chain to a specific threat actor or commercial spyware vendor in its initial disclosure, though the sophistication of the chain — three distinct vulnerabilities linked together with reliable exploitation — points toward a well-resourced operation. Developing a working exploit chain of this complexity requires deep knowledge of iOS internals, weeks or months of development time, and access to test devices running the targeted software versions. Script kiddies need not apply.

The WebKit vulnerability at the chain’s entry point is a type confusion bug, a class of memory corruption issue that has plagued browser engines for decades. WebKit type confusions have been among the most frequently exploited vulnerability classes in iOS over the past five years, according to data compiled by Google’s Project Zero. Apple has invested heavily in mitigating these bugs through techniques like Pointer Authentication Codes (PAC) and memory tagging, but those defenses are strongest on newer hardware — the A12 chip and later. Older chips lack full PAC implementation, making exploitation materially easier.

So an attacker faces a paradox of choice: target the newest devices, where the bugs are worth more but the mitigations are fierce, or target older devices, where the bugs are cheaper to acquire but the defenses are comparatively thin. This latest chain suggests at least some threat actors are choosing the latter path.

The sandbox escape component of the chain exploits a flaw in an IPC (inter-process communication) mechanism that Apple uses to isolate web content processes from the rest of the system. Sandbox escapes have historically been the hardest link in an iOS exploit chain to develop, because Apple’s sandbox is among the most restrictive in the industry. But older iOS versions contain IPC attack surface that Apple has since refactored or removed entirely in iOS 17 and 18. The attackers appear to have targeted a code path that simply no longer exists in current software — a ghost vulnerability, present only in the past.

The kernel bug is an integer overflow in a memory management routine. Classic. These kinds of vulnerabilities have been a staple of kernel exploitation for over two decades, and while Apple has added significant hardening to its kernel in recent releases — including Kernel Data Protection and PPL (Page Protection Layer) — older kernels lack these features or implement them incompletely.

Apple declined to comment specifically on Google’s findings when reached by multiple outlets, instead pointing to its existing security update documentation and recommending that all users update to the latest available software version. That recommendation, while sound, rings hollow for the millions of users whose devices can’t run the latest iOS.

The disclosure arrives at a moment when the global conversation around device longevity and security support is intensifying. The European Union’s Cyber Resilience Act, which takes full effect in 2027, will require manufacturers to provide security updates for connected devices throughout their “expected lifetime” — a term that remains subject to interpretation but that regulators have suggested could mean five years or more from the date of last sale. Apple already exceeds this threshold for its flagship devices, typically providing five to six years of major iOS updates. But the gap between “major update support” and “security patch support” is where the danger lives.

An iPhone 7 purchased new in late 2016 received its last major iOS update (iOS 15) in 2021 and its last security patch in mid-2023. That’s roughly seven years of some form of support — impressive by industry standards. But the device is still physically functional. Its battery can be replaced. Its screen can be repaired. And in markets across Southeast Asia, Africa, and Latin America, it’s still being used daily. The security support, however, is gone.

This creates what researchers at the University of Cambridge have called a “security poverty line” — a threshold below which users cannot protect themselves regardless of their behavior. You can avoid suspicious links. You can decline to install sideloaded apps. But if your browser engine has an unpatched type confusion bug that triggers on page load, your vigilance is irrelevant.

Google’s decision to publish these findings follows its standard 90-day disclosure policy, under which it notifies the affected vendor and waits 90 days before going public, regardless of whether a patch has been issued. Apple was notified in December 2025, according to the TAG advisory. No patch for the affected legacy iOS versions has been released as of this writing.

Whether one will come is an open question. Apple has shown willingness to push emergency patches to iOS 15 for the most severe actively exploited vulnerabilities, but three-bug chains targeting devices two or more generations behind the current hardware may fall below Apple’s internal threshold for backporting. The company has never publicly articulated where that threshold sits.

The commercial spyware industry, meanwhile, continues to adapt. Following the U.S. Commerce Department’s addition of NSO Group and Candiru to its Entity List in November 2021, and subsequent sanctions and legal actions against other vendors, the market hasn’t shrunk — it has fragmented. Smaller, less visible companies have emerged to fill demand from government clients worldwide. Some of these newer entrants specifically market capabilities against older device models and software versions, positioning themselves as cost-effective alternatives to the premium zero-day brokers who focus on current-generation targets.

A report published earlier this year by the Atlantic Council’s Digital Forensic Research Lab documented at least fourteen commercial spyware vendors actively marketing iOS exploitation capabilities, up from eight identified in a similar survey conducted in 2023. Not all of these vendors possess genuine capabilities — the market has its share of vaporware and exaggeration — but the trend line is clear. Demand for mobile exploitation tools, including those targeting older platforms, is growing.

For enterprise security teams, the implications are direct. Corporate BYOD policies that permit older iPhones on the network are accepting a risk that’s becoming harder to quantify and harder to mitigate. Mobile device management solutions can enforce minimum OS version requirements, but doing so means telling employees their perfectly functional phones are no longer welcome on the corporate network. That’s a conversation many IT departments have been reluctant to have.

They may not have a choice much longer.

Google’s TAG team has signaled that it intends to continue publishing research on exploit chains targeting legacy mobile platforms, viewing it as a necessary public service. “The security of older devices is a collective problem,” Maddie Stone wrote in a post on the TAG blog accompanying the technical advisory. “Sunlight remains the best disinfectant.” The implicit message to Apple and other device manufacturers: patch your legacy devices, or we’ll keep showing the world why you should.

Apple, for its part, has taken steps in recent iOS releases to make exploitation harder across the board. iOS 18, released in September 2025, introduced additional kernel hardening measures and expanded the scope of Lockdown Mode, which disables certain attack surfaces like JIT compilation in WebKit. But Lockdown Mode is opt-in, and its availability is limited to devices running iOS 16 or later. The users most at risk — those on iOS 15 and below — can’t access it.

The fundamental tension here isn’t technical. It’s economic. Every month that Apple continues to support a legacy iOS version costs engineering resources — developer time, QA cycles, infrastructure for building and distributing updates. At some point, the cost of supporting a shrinking installed base exceeds the benefit, at least from a corporate perspective. But the users on those devices don’t disappear when support ends. They just become more vulnerable.

And vulnerability, in the context of state-sponsored surveillance and commercial spyware, isn’t an abstraction. It’s a journalist in Manila whose iPhone 7 gets compromised because they clicked a link in a WhatsApp message. It’s a human rights lawyer in Nairobi whose contacts and case files are silently exfiltrated. It’s a dissident in Minsk who thought Apple’s reputation for security meant their aging device was safe.

It wasn’t.

The exploit chain Google disclosed this week is a reminder that security is not a permanent state. It’s a moving target, and the moment a device stops receiving updates, the target stops moving — but the attackers don’t. For the millions of iPhone users worldwide running software that Apple no longer fully supports, the math is unforgiving. Every new vulnerability discovered in legacy iOS code widens the gap between what their device can withstand and what their adversaries can deliver.

Google has shown, once again, what that gap looks like in practice. The question now is what Apple — and the broader industry — intends to do about it.

Subscribe for Updates

CybersecurityUpdate Newsletter

The CybersecurityUpdate Email Newsletter is your essential source for the latest in cybersecurity news, threat intelligence, and risk management strategies. Perfect for IT security professionals and business leaders focused on protecting their organizations.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us