Coruna iOS Exploit: How to Detect and Prevent Infection

Google Threat Intelligence Group has publicly disclosed Coruna, a sophisticated iOS exploit kit targeting iPhones running iOS 13 through 17.2.1.

At the same time, researchers at iVerify released independent findings after several weeks of analysis tracking the same framework in the wild.

The exploit kit contains 23 exploits across five full attack chains capable of silently compromising an iPhone through a malicious webpage. Once triggered, it can escalate privileges, install implants, and extract sensitive data, including messages, photos, and credentials.

Much of the public conversation since the disclosure has focused on one thing:

“iPhones are under attack.”

What’s missing is the other half of the story: There are practical steps individuals and organizations can take to reduce their risk and, critically, detect an active breach.

Here’s what you should know.

How Does Coruna Infect a Device

Understanding the attack helps clarify where defenses work.

Coruna is typically delivered via watering-hole attacks, compromised or malicious websites that silently execute an exploit chain when a vulnerable iPhone visits the page.

The attack chain works roughly like this:

1. Malicious webpage loads in Safari

2. A WebKit exploit triggers remote code execution

3. A privilege escalation exploit gains full device access

4. The malware installs an implant inside legitimate iOS processes, like:

   • powerd

   • locationd

5. Additional modules are downloaded to steal data or access apps.

   • 18 different cryptocurrency wallets

   • Imagent 

   • WhatsApp 

   • Springboard (giving access to apps like photos and notes)

Because the implant runs within legitimate system processes, users see no warning or suspicious app installation.

This is why traditional mobile defenses often fail to detect it.

Want to learn more about Coruna? Catch up on our town hall briefing here.

Why Is Coruna a Turning Point for Mobile Security?

Historically, advanced iOS exploits were:

• extremely rare

• used only by governments

• deployed against specific high-value targets

Coruna represents a major shift.

Our security researchers believe the framework was likely originally developed by a nation-state and later leaked or sold, allowing criminal groups to repurpose it for mass exploitation.

In an interview with technology journalist Andy Greenberg, Rocky Cole, COO and Co-founder at iVerify, described this moment as mobile security’s “EternalBlue moment,” referencing the exploit used in the 2017 WannaCry ransomware outbreak.

In other words, tools once used to spy on heads of state are now being deployed against ordinary iPhone users.

How Can Individuals Protect Their iPhones Against Coruna?

The good news for those worried about the pervasiveness of Coruna is that basic security hygiene dramatically reduces risk. 

Here are four steps to take to protect yourself:

1. Update iOS Immediately

The vulnerabilities used by Coruna have been patched in newer versions of iOS.

If your device is running iOS 17.3 or later, the exploit chains observed by researchers should no longer work.

Keeping automatic updates enabled is the single most important defense against any kind of threat.

2. Be Careful With Links

Coruna infections rely on victims loading a malicious webpage.

This means attacks are commonly delivered through:

• smishing (SMS phishing)

• malicious links on websites

• compromised forums or blogs

If you receive an unexpected link, especially related to crypto, finance, or urgent requests, don’t click it.

3. Avoid Outdated Devices

Devices that cannot run modern iOS versions remain permanently exposed to many mobile exploits.

If your iPhone is no longer receiving security updates, it may be time to replace it.

4. Deploy Mobile Threat Detection Tools

Traditional antivirus tools don’t exist on iOS due to platform restrictions. This is why having a tool that detects compromise after a breach is essential.

The iVerify Basic App, which is currently free to allow users to check for signs of compromise, is specifically designed to detect sophisticated attacks like Coruna by analyzing:

• system logs

• forensic artifacts

• suspicious network activity

• indicators of compromise (iVerify has the latest indicators for Coruna).

This deep-level analysis provides an immediate, non-intrusive way to scan your device for known Coruna infections, giving you the visibility traditional mobile defenses lack.

How Should Businesses Respond to the Coruna Threat?

Organizations face a larger challenge: mobile devices have become a primary endpoint for accessing corporate data.

Many enterprises assume their existing mobile security stack protects them, but that is largely untrue. MDM, for instance, enforces policy but does not detect or stop attacks at the OS level, meaning a device can be fully enrolled and managed, yet still be compromised. Similarly, containerization does not protect the device; separating work apps into a container does not prevent the underlying operating system from being exploited. Once the OS is compromised, containers are easily breached and exploited.

1. Patch All Corporate iPhones Immediately

Within 72 hours, organizations should ensure:

• All corporate devices run iOS 17.3 or later

• Devices that cannot update are removed from sensitive access

MDM tools can enforce patching policies, but they cannot detect this class of attack.

2. Identify Unmanaged Devices

Many companies allow employees to access email, SaaS platforms, and internal systems from personal devices outside mobile management systems. These devices represent a major blind spot.

As a matter of urgency, organizations should identify any devices accessing corporate systems that are not enrolled in MDM or security monitoring. This is particularly critical in environments supporting Bring Your Own Device (BYOD), where enterprises may lack comprehensive visibility into all personal devices accessing sensitive data and networks.

3. Bolster Detection with Enterprise-Grade Mobile Security 

Many enterprise mobile programs rely on MDM and MAM, which enforce policy but do not detect attacks at the operating system level. Once the OS is compromised, attackers can access both personal and corporate data.

To gain the necessary system-level visibility, you must assess whether your security stack provides visibility into system-level activity on mobile devices.

The iVerify Enterprise platform provides continuous, system-level monitoring and advanced forensic capabilities to detect known exploit frameworks like Coruna, offering a critical layer of defense that traditional MDM cannot. Start your free trial today.

4. Conduct Forensic Reviews for Individuals Running Vulnerable iOS Versions

While certain roles are especially attractive targets for mobile attackers — executives, finance teams, legal departments, and IT administrators — the reality is that anyone can be a target. 

The threat is what the device can access, not who carries it, meaning all mobile devices with access to corporate resources must be protected.

In the wake of Coruna, organizations should consider forensic device reviews for any user who was running vulnerable iOS versions.

 iVerify's security experts can provide these on-demand, in-depth analyses using the latest Coruna indicators.

5. Review Mobile Security Architecture

The Coruna threat requires a critical review of your existing security stack. Organizations must review their mobile security architecture against this class of threat and determine whether detection capabilities need to be extended to the system level, as MDM and MAM tools alone are not enough to detect this type of compromise.

The Bigger Lesson: Mobile Is A Primary Attack Surface

For years, organizations disproportionately focused security investments on laptops, servers, and cloud infrastructure. Meanwhile, mobile devices quietly became the most used computing platform in the enterprise. Coruna is a sharp reminder that attackers have noticed this critical shift.

2025 saw an 85% increase in the number of organizations reporting attacks on mobile devices, according to the Verizon 2025 Mobile Security Index. 

The reality is simple:

If your security strategy ignores mobile endpoints, you are leaving a massive, unaddressed gap in your entire defense posture.

Final Thoughts

Coruna represents a significant escalation in the mobile threat landscape, but it does not mean iPhones are suddenly defenseless.

Like most cybersecurity risks, the biggest difference comes from visibility and basic security hygiene:

• keeping devices patched

• avoiding malicious links

• monitoring endpoints for signs of compromise with the iVerify App.

For organizations, it’s also a reminder that mobile security needs to evolve alongside the threat landscape. The tools once reserved for nation-state espionage are no longer staying there. The genie is out of the bottle now!

Get protected today by downloading the free iVerify Basic App for individuals or contact the iVerify team about Enterprise solutions.