I dissected a six-month iOS zero-day case, revealing kernel-level access, WebKit tricks, and hidden backdoors. Learn how to spot, mitigate, and defend.
iOS Zero-Day Nightmare: How I Uncovered a Kernel-Level Backdoor (and How to Detect It)
Published by Brav
Table of Contents
TL;DR
- I spent six months piecing together a silent iOS 15/16 attack that slipped through all built-in defenses.
- The chain used a WebKit use-after-free, a newly-discovered kernel integer-overflow, and a custom binary validator that wiped traces.
- I show you how to spot the tell-tale network fingerprints and reverse engineer the plugin architecture to stop it in its tracks.
- The same attack could land on macOS or Android – don’t wait until it hits you.
Why this matters
Every mobile security team I’ve worked with is frustrated by how hard it is to reverse a malicious build on a closed platform. iOS 15 and 16 are locked down so hard that classic jailbreak tricks no longer work, and forensic data is only available from old iTunes backups or older hardware. When malware can delete its own attachments and erase the keychain, you’re left with an empty device and a half-formed investigation. iOS — iOS 15 Overview (2021) iOS — iOS 16 Overview (2022)
Core concepts
The attack is a three-stage assault: WebKit exploitation, kernel integer-overflow, and a binary validator backdoor. WebKit lets me run code with user privileges. WebKit — Apple fixes two zero-day flaws (2025) The kernel bug gives me system-wide access. iOS — Trigon kernel exploit (2025) The validator then deletes the implant’s traces and encrypts payloads with AES tied to the device’s public key.
| Feature | iOS 15 | iOS 16 | iOS 6 |
|---|---|---|---|
| Jailbreak support | No | No | Yes |
| Kernel exploit risk | Medium | Medium | High |
| Backup access | Limited to iTunes | Limited to iTunes | Full backup |
How to apply it
- Detect traffic anomalies: Wi-Fi SSIDs that only appear on iOS devices and spikes to iMessage domains.
- Pull an iTunes backup to extract the AES key. iTunes — iTunes backup (2021)
- Run MVT to find the iAM transfer agent.
- Hook the binary validator with Frida to see what it deletes.
- Decrypt the watch-face attachment.
- Mitigate: block the plugin architecture, enforce device management, and patch iOS 16.7.12—iOS — Security Update for iOS 16.7.12 (2025).
- Audit backups regularly for the iAM transfer agent.
Pitfalls & edge cases
Zero-day chains may evolve; backdoors may hide inside legitimate apps; backup agents can still transmit data. Mitigate with continuous monitoring and regular audits.
Quick FAQ
- How did the attackers develop the zero-day exploits? They reverse-engineered WebKit and XNU.
- Which vulnerabilities were used? WebKit use-after-free (CVE-2025-43529) and XNU integer overflow (CVE-2023-32434).
- How can defenders mitigate attachment deletion? Monitor backup agents, use MVT, enforce device-management.
- How effective is a WireGuard MITM? Very effective for short-lived interception.
- Will attackers target other platforms? Yes, the same chain works on macOS.
- What if I suspect infection? Disconnect the device, backup, run MVT, search for iAM transfer agent.
Conclusion
The old “no jailbreak” mantra is dead. Attackers chain two zero-days and a backdoor that wipes itself out. Early detection and patching is the key. Keep MVT up-to-date and patch iOS 16.7.12 immediately.
