Anomalous crashes on iPhones belonging to high-value individuals in the EU and US can potentially be associated with sophisticated zero-click attacks targeting an iMessage vulnerability, mobile EDR firm iVerify says.
The suspicious activity, observed in late 2024 and early 2025, with the most recent incidents dated March 2025, supposedly targeted six devices belonging to individuals affiliated with political campaigns, governments, media organizations, and tech companies in the EU and US.
On four of the devices, the security firm found signatures associated with the exploited vulnerability, called Nickname, while the other two showed clear signs of exploitation. All victims were previously targeted by Chinese state-sponsored hackers.
At least one of the victims, iVerify says in a technical report (PDF), received an Apple Threat Notification approximately one month after the crashes.
The exploited bug resides in ‘imagent’, the process handling iMessage traffic, including data associated with Nickname Updates, a feature that allows users to share personalized contact information.
The process uses a mutable data container when broadcasting the updates to other parts of the system, and the container could be changed while being accessed by other processes, creating a race condition that could trigger a use-after-free memory corruption flaw.
According to iVerify, the most concerning aspect of the security defect is the fact that it can be triggered without user interaction, by sending “repeated, rapid-fire nickname updates to iMessage”.
The underlying security defect, iVerify notes, was seen in devices running iOS versions up to 18.1.1, and was resolved in the iOS 18.3.1 release earlier this year.
The security firm’s investigation uncovered the presence of crashes related to Nickname Updates only on the devices of individuals potentially targeted by sophisticated threat actors and believes that it might have been used as part of a larger exploit chain leading to device compromise.
On iPhones on which the Nickname vulnerability was likely exploited, iVerify found that directories related to SMS attachments and message metadata were modified and emptied 20 seconds after the ‘imagent’ process crashed, a pattern of clean-up activity typically associated with confirmed spyware attacks.
“While no smoking gun definitively proving exploitation exists, when taken together, this body of evidence gives us moderate confidence these crashes indicate targeted exploitation attempts,” iVerify notes, adding that circumstantial evidence links the potential attacks to Chinese hackers.
Responding to a SecurityWeek inquiry, Apple said it found no evidence of targeted attacks against iPhone users.
“We’ve thoroughly analyzed the information provided by iVerify, and strongly disagree with the claims of a targeted attack against our users. Based on field data from our devices, this report points to a conventional software bug that we identified and fixed in iOS 18.3. iVerify has not responded with meaningful technical evidence supporting their claims, and we are not currently aware of any credible indication that the bug points to an exploitation attempt or active attack,” Ivan Krstić, head of Apple Security Engineering and Architecture, said.
*Updated with statement from Apple.
Related: Apple Patches Major Security Flaws in iOS, macOS Platforms
Related: AirPlay Vulnerabilities Expose Apple Devices to Zero-Click Takeover
Related: Apple Quashes Two Zero-Days With iOS, MacOS Patches
