Security researchers at Google have found evidence of a “sustained effort” to hack iPhones over a period of at least two years.
The attack was said to be carried out using websites which would discreetly implant malicious software to gather contacts, images and other data.
Google’s analysis suggested the booby-trapped websites were said to have been visited thousands of times per week.
Apple told the BBC it did not wish to comment.
The attack was shared in great detail in a series of technical posts written by British cybersecurity expert Ian Beer, a member of Project Zero, Google’s taskforce for finding new security vulnerabilities, known as zero days.
“There was no target discrimination,” Mr Beer wrote.
“Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant.”
Mr Beer and his team said they discovered attackers were using 12 separate security flaws in order to compromise devices. Most were bugs within Safari, the default web browser on Apple products.
Once on a person’s iPhone, the implant could access an enormous amount of data, including (though not limited to) contacts, images and GPS location data. It would relay this information back to an external server every 60 seconds, Mr Beer noted.