Tim Hardwick, MacRumors:

An Israeli security firm claims it has developed a smartphone surveillance tool that can harvest not only a user’s local data but also all their device’s communications with cloud-based services provided by the likes of Apple, Google, Amazon, and Microsoft.

From the paywalled Financial Times article that broke the story:

The new technique is said to copy the authentication keys of services such as Google Drive, Facebook Messenger and iCloud, among others, from an infected phone, allowing a separate server to then impersonate the phone, including its location.

This grants open-ended access to the cloud data of those apps without “prompting 2-step verification or warning email on target device”, according to one sales document.

And don’t miss this response from Apple:

In response to the report, Apple told FT that its operating system was “the safest and most secure computing platform in the world. While some expensive tools may exist to perform targeted attacks on a very small number of devices, we do not believe these are useful for widespread attacks against consumers.”

Um. That is quite different from a denial, makes me think this story is true. And once the tools are out there, you know they will find their way into black hat hands. Hopefully, Apple will silently update my devices with a leapfrog update to obsolete these tools.