Apple strengthens iOS 26 security, but leaked hacking tools expose millions to spyware risks

Apple has long been regarded by security researchers as one of the toughest ecosystems to penetrate, with iOS vulnerabilities traditionally requiring extensive resources, highly skilled teams, and significant time to exploit. This difficulty meant that iPhone spyware and zero-day vulnerabilities — flaws unknown to the vendor before exploitation — were relatively rare and typically reserved for highly targeted operations, as Apple itself has maintained.

However, recent developments are challenging that assumption. Over the past month, cybersecurity researchers from Google, iVerify, and Lookout have uncovered multiple large-scale hacking campaigns leveraging tools known as Coruna and DarkSword. These tools have been used in near-indiscriminate attacks targeting individuals worldwide, particularly those who have not updated to the latest version of iOS.

The campaigns are believed to involve actors such as Russian intelligence operatives and Chinese cybercriminal groups. Victims are typically targeted via compromised websites or deceptive pages, allowing attackers to exfiltrate sensitive data from a wide range of devices.

Adding to the concern, portions of these hacking tools have reportedly leaked online. This exposure significantly lowers the barrier to entry, allowing less sophisticated actors to deploy similar attacks against users running outdated versions of iOS.

Apple, meanwhile, has been investing heavily in strengthening its mobile security architecture. The company has introduced memory-safe coding practices in its latest devices and deployed features like Lockdown Mode, designed specifically to defend against advanced spyware attacks. These efforts are part of a broader strategy to reinforce the perception — and reality — that modern iPhones are extremely difficult to compromise.

Despite these advancements, many older iPhones remain in active use, making them a much softer target for attackers. As a result, the iPhone ecosystem is now effectively split into two distinct security tiers.

Users running iOS 26 on newer devices, such as the iPhone 17 models released in 2025, benefit from a feature called Memory Integrity Enforcement. This security mechanism is designed to prevent memory corruption vulnerabilities, which are among the most commonly exploited weaknesses in spyware and device intrusion techniques. According to Google researchers, tools like DarkSword rely heavily on such memory-based flaws.

On the other hand, users who continue to operate devices running iOS 18 or earlier remain exposed to a range of known vulnerabilities, including memory-based exploits that have been repeatedly targeted in past attacks. The emergence of Coruna and DarkSword suggests that such attacks will continue to pose a serious risk to users who do not upgrade their devices or software.

Security experts from iVerify and Lookout — both companies that develop mobile security solutions — have indicated that these developments may reshape long-standing beliefs about iPhone security. Matthias Frielingsdorf, co-founder of iVerify, noted that mobile cyberattacks are becoming increasingly widespread. However, he emphasised that zero-day exploits targeting fully updated devices remain costly and are likely to be reserved for high-value targets rather than mass exploitation.

Patrick Wardle, a well-known Apple security researcher, argued that the perception of rarity surrounding iPhone attacks may stem from underreporting rather than actual scarcity. He suggested that such attacks could be more common than widely believed, but often go undetected or undocumented.

“Calling them ‘highly advanced’ is a bit like calling tanks or missiles advanced,” Wardle explained. “It’s true, but it misses the point. That’s simply the baseline capability at that level, and all (most) nations have them (or can acquire them for the right price).”

Another emerging concern highlighted by the Coruna and DarkSword cases is the existence of a growing secondary market for exploits. Justin Albrecht, a principal researcher at Lookout, explained that this market allows developers and brokers to resell exploits multiple times, especially after initial vulnerabilities have been patched. This creates ongoing financial incentives for the development and distribution of exploitation.

In many cases, once a software update fixes an exploit, it can still be sold and used against users who have not yet updated their devices.

“This isn’t a one-time event, but rather a sign of things to come,” Albrecht said, pointing to a future where exploit reuse and distribution could become increasingly common.