Hackers gained access to iPhones through a sophisticated security flaw in Apple’s built-in email app that Apple hasn’t yet fixed, according to new research by a cybersecurity firm.

The cybersecurity firm, ZecOps, began conducting research after finding suspicious lines of code on iPhones belonging to a client. Customers of ZecOps, a two-year-old cybersecurity firm with offices in San Francisco, instruct their employees to connect their iPhones to a computer or kiosk that uploads data logs to a central server, where they are analyzed for suspicious activity.

Zuk Avraham, ZecOps’s CEO and co-founder, said that the code stood out because it wasn’t found on many other iPhones. Avraham and others at the company investigated it for months, eventually discovering that it was connected to a previously unknown flaw Apple’s mail app. It alerted Apple, which is fixing the flaw, he said.

Apple spokesman Todd Wilder declined to comment.

The discovery of the flaw highlights a problem that has increasingly come to light in recent months. While Apple’s marketing claims that its iPhones are better secured than the competition, its mobile operating system called iOS is particularly vulnerable to sophisticated attacks like the one that befell Amazon CEO Jeff Bezos last year. (Bezos also owns The Washington Post.)

Like the attack suspected on Bezos’ phone, the hack that ZecOps says it discovered is referred to as a “zero click” attack. While less sophisticated attacks require the victim to click on a link, usually in a phishing email or text message, a zero click exploit requires no participation on the part of the victim. In this case, the perpetrators can send an email to the victim containing the malicious code. That code can then set off a chain reaction, called an “exploit chain” that knocks down all the phone’s defenses one-by-one, erasing its tracks along the way and making nearly impossible to detect.

Avraham declined to name the clients he believes were targeted, but said in a blog post Thursday they include a Fortune 500 company in North America, a journalist in Europe, an executive in Japan and others.

Advertising

ZecOps still has no idea who might have been behind the attacks that it says affected it clients, but Avraham said in an interview that he believes the attack was likely carried out by a nation-state or some of deep-pocketed entity.

Apple makes it difficult for security researchers to find bugs in iPhones, which both whittles down the number of people capable of prying into the operating system and simultaneously increases the value of exploits, which are sold on the black market to the highest bidder. Those bidders include nation-states and third party security companies that help deep-pocketed entities hack into their enemies’ iPhones. Once an exploit is successful, Apple’s locked-down security makes it nearly impossible for victims to know they’ve been hacked.

The murkiness of iOS makes the job of companies like ZecOps extremely difficult. Even with the ability to scan the logs of its clients’ iPhones, the company is often only able to theorize whether there’s been an attack, with varying degrees of certainty. That’s what makes its most recent discovery so rare. It was able to essentially reverse-engineer suspicious activity and use it to discover an actual unknown security exploit.

While the hack raises questions about whether iPhone users should use the built-in mail app, removing it can create challenges for users. Even if an Apple customer deletes the Mail app, there is no way to change the default email application to a competing app, such as Microsoft’s Outlook. Deleting the app can lead to a loss of functionality. For instance, clicking on an email link will no longer work and users will be greeted by a message from Apple requesting that they re-download the Mail app.