iOS silently updated: Stealthy iMessage Flaw Exploited by Sophisticated Hackers Targeting High-Profile Individuals

A previously undiscovered vulnerability in Apple's iMessage service has been exploited by highly sophisticated attackers, leading to the compromise of iPhones belonging to prominent individuals across the United States and the European Union. This "zero-click" flaw, meaning it required no interaction from the user to be exploited, was silently addressed by Apple in its iOS 18.3 update.

Dubbed "NICKNAME" by cybersecurity firm iVerify, which uncovered the exploit, the vulnerability affected iOS versions up to 18.1.1. Its discovery sheds light on how attackers could gain unauthorized access to iPhones by exploiting a subtle flaw within iMessage's contact profile update feature. The simplicity of the attack vector is particularly concerning: all that was needed was the target's phone number or Apple ID.

The NICKNAME vulnerability specifically leveraged a "race condition" within the "imagent" process, the core component handling all iMessage traffic on iOS devices. When users update their contact profiles – encompassing details like nicknames, photos, or wallpapers – the system generates "Nickname Updates." These updates are then processed by the recipient's device. The critical flaw stemmed from Apple's previous method of handling data associated with these updates. The system utilized mutable data containers (specifically, NSMutableDictionary objects), which could be modified by one process even while another process was simultaneously trying to access them. This created a classic race condition: one thread might attempt to read the Nickname Update details while another thread concurrently altered the same data container.

This memory corruption had the potential to trigger a Use-After-Free (UAF) vulnerability, causing the imagent process to crash. However, for advanced threat actors, such a crash could be leveraged as a "primitive" – a foundational element – to achieve remote code execution on the targeted devices, effectively taking control of the iPhone.

iVerify's investigation involved analyzing crash data from nearly 50,000 devices between April 2024 and January 2025. They found that imagent crashes specifically related to Nickname Updates were exceedingly rare, accounting for less than 0.001% of all collected crash logs. What made these rare occurrences stand out was their exclusive appearance on devices belonging to individuals who are typically targets for advanced persistent threat (APT) groups.

The affected devices belonged to a range of high-value targets, including political campaign staff, journalists, technology executives, and government officials in both the EU and the US. Notably, researchers observed these specific crashes on at least one device owned by a senior European Union government official approximately thirty days before that individual received an official Apple Threat Notification – a warning issued by Apple when they suspect a user has been targeted by state-sponsored attackers.

Further forensic examination of these compromised devices revealed suspicious activity consistent with known spyware cleanup procedures. On at least one device, directories containing SMS attachments and message metadata were modified and emptied just 20 seconds after the imagent crash. This specific behavior mirrors techniques previously observed in confirmed commercial spyware attacks, suggesting a sophisticated post-exploitation cleanup operation.

Apple's solution, implemented in iOS 18.3, involved a more robust approach to handling Nickname Updates. The fix now ensures that immutable copies of dictionaries are used when broadcasting nickname updates. This change effectively prevents the race condition that enabled the exploitation, closing the window for this particular attack vector.

The imagent process has historically been a prime target for sophisticated attackers, having been exploited in several high-profile campaigns, including the notorious FORCEDENTRY and BLASTPASS operations. Despite Apple's implementation of BlastDoor sandboxing in iOS 14 – a security feature designed to isolate and protect against such attacks – determined threat actors continue to find narrow vulnerabilities within Apple's formidable defenses.

Security experts strongly advise all iPhone users to update to the latest iOS version immediately. For individuals at high risk of being targeted by advanced threats, enabling Apple's Lockdown Mode is also highly recommended, as it provides additional layers of protection against sophisticated zero-click attacks.