Zero‑click exploit warning

Apple and outside researchers are warning that unpatched iPhones on older iOS 18 builds can be compromised by a web-based attack chain called DarkSword. (support.apple.com) A zero-click exploit is the mobile equivalent of a lock that opens without you touching it: the attack runs without a tap, download, or reply. Apple said recent web attacks targeted out-of-date iPhones through malicious web content, and that updated devices were not at risk. (support.apple.com) Google Threat Intelligence Group said DarkSword is a “full-chain” exploit, meaning it links several software flaws together until attackers can take over the device. Google said the chain used six vulnerabilities, worked against iOS 18.4 through 18.7, and had been observed in campaigns dating back to November 2025. (cloud.google.com) Google said the exploit was used by multiple commercial surveillance vendors and suspected state-backed groups against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine. After a successful compromise, Google said operators deployed three malware families it calls GhostBlade, GhostKnife, and GhostSaber. (cloud.google.com) Lookout said DarkSword was delivered through “watering hole” attacks, where attackers booby-trap legitimate websites and wait for targets to visit. The company said a single site visit could give attackers kernel-level access on vulnerable phones, letting them escape app sandboxes and run code on the device. (lookout.com) That helps explain the warnings about passwords, wallets, and account data. Apple’s own guidance says a malicious link or compromised website on an older iPhone can put the data on that phone at risk of being stolen. (support.apple.com) Apple said the fixes tied to DarkSword first shipped in 2025, but it released iOS 18.7.7 and iPadOS 18.7.7 on March 24, 2026 for devices still on that branch. Apple then expanded availability on April 1, 2026 so more users with Automatic Updates turned on could receive the protections automatically. (support.apple.com) For newer supported devices, Apple says the safest path is the latest version of iOS 26, and Google said all DarkSword vulnerabilities were patched by iOS 26.3, with most fixed earlier. Apple also says the latest updated versions of iOS 15 through iOS 26 are protected. (support.apple.com, cloud.google.com) Apple added two backstops for people who are behind on updates. It said Safari’s Safe Browsing blocks the malicious domains identified in these attacks by default, and Lockdown Mode protects against these specific attacks even on out-of-date software, though Apple still says users should update as soon as possible. (support.apple.com) Companies are treating this as an enterprise problem as well as a consumer one. Lookout told administrators to enforce minimum operating-system versions for iOS 18.4 through 18.7 devices, enable phishing and content protection, and isolate high-risk phones, while iVerify said DarkSword can bypass multifactor authentication and operate outside the visibility of traditional mobile-device-management tools. (lookout.com, iverify.io) The immediate advice is narrower than the online panic: if an iPhone is fully updated, Apple says it is already protected. If it is still on an older iOS 18 build, Apple says to move to the latest iOS 26 release if possible, or install iOS 18.7.7 if that is the newest version the device can run. (support.apple.com, support.apple.com)