The implants had the ability to steal private data such as iMessages, photos and GPS location in real-time, according to the Google researchers.
Ian Beer, of Google’s security research team Project Zero, said in a blog post on Thursday that hackers exploited iPhone vulnerabilities to surreptitiously place the implant on the phones of users who visited certain hacked websites.
“There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” he explained. “We estimate that these sites receive thousands of visitors per week.”
Beer did not identify the hacked websites in the post.
“The hacked sites were being used in indiscriminate watering hole attacks against their visitors,” he added.
The experts discovered a total of 14 iPhone vulnerabilities related to the five exploits. According to Google, seven of the vulnerabilities were related to the iPhone’s web browser. Google says that it notified Apple of the vulnerabilities on Feb 1, 2019, and the iPhone maker patched them on Feb. 7, 2019.
Google researchers identified five separate and unique “iPhone exploit chains,” which they say covered almost every version of the iOS operating system, from iOS 10 to the latest version of iOS 12.
“This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years,” Beer explained.
In a tweet, Beer described the research undertaken by Project Zero as “a huge effort to pull apart and document almost every byte of a multi-year in-the-wild exploitation campaign.”
In his blog post Beer also warned that, while the hacking campaign spotted by Project Zero has been tackled, “there are almost certainly others that are yet to be seen.”
Other security experts have also voiced their concern about the reported targeting on iPhone vulnerabilities.
“For a long time, there has been a myth that iOS and OSX are secure operating systems and don't need any security systems like anti-malware to protect them,” said Boris Cipot, a senior security engineer at software security firm Synopsys, in a statement emailed to Fox News. “This last attack reinforces that there is no such thing as a completely secure operating system: ‘100 percent secure’ doesn’t exist.”
Fox News has reached out to Apple with a request for comment on this story.
Apple is expected to launch its latest iPhones at an event at its headquarters in Cupertino, Calif. on Sept. 10. The tech giant is expected to launch three new iPhones at the event at the Steve Jobs Theater on its campus, according to reports.
Fox Business’ Jonathan Garber contributed to this article.
Follow James Rogers on Twitter @jamesjrogers