Can your iPhone get viruses from websites? In a discussion forum on Apple.com, one user mentions that you can’t get a virus on your iPhone from visiting a website. In most circumstances, this is true.

However, if you’re using Safari, Chrome, or another browser app on your iPhone, then yes, you can get a virus from visiting a website — but only in extremely unusual circumstances.

Can iPhones get viruses from websites – is it likely?

While research has shown that the iPhone is more secure than the Android operating system, the long-standing belief that iPhones can’t get viruses has been thoroughly debunked by researchers.

Nonetheless, because of how Apple engineered the iOS operation system, the iPhone comes equipped with a security safety net. As long as you update your iOS regularly and don’t jailbreak your device, then the chances of contracting a virus is slim.  Nonetheless, you still need to understand how to protect your device and learn how to tell if it has been infected. In this article, you will discover best practices that will keep your iPhone free from malware.

Signs your iPhone has a virus

There are certain warning signs you should look out for to determine if your iPhone has been infected:

  • Is your iPhone overheating? When your device is running hot, malicious apps could be overusing CPU resources and memory, causing your device to overwork itself.
  • Is your iPhone using too much data? This is the biggest tell-tale sign that your iPhone has been compromised. Apps such as Netflix normally use a lot of data because high-resolution video streaming is data-intensive. However, if you haven’t streamed anything or Facetimed anyone recently, and you see your iPhone utilizing multiple gigabytes daily, then that’s a clue that your iPhone has been infected. To verify, check your iPhone’s setting and look at how much data each of your apps is using.
  • Are you getting pop-ups even when your browser is not open? Pop-ups should not appear on your phone if you’re not using Safari, Chrome, or another browsing app. If you are, then this is a red flag.
  • Do you see strange apps on your iPhone? If you see an app that you don’t remember downloading, then that’s another red flag for having malware installed on your device.
  • Are your apps constantly crashing? When you have malware on your device, they tend to hog up computing resources, so your other apps won’t function normally and are more likely to crash.
  • Is your battery draining faster than usual? As stated previously, malware apps tend to hog resources because they are transferring and uploading data, or installing more malware in the backend. As a result, your phone will consume its battery much faster than usual.
  • Is your iPhone running slowly? This is the final sign to check if your iPhone has been infected with a virus.

How can I scan my iPhone?

After looking at 3rd party testing, experts  highly recommend that personal users use ZoneAlarm Mobile Security, whereas businesses can use Check Point Harmony for employees. This article is more geared towards individual users, so if you fall in that category, then ZoneAlarm is the solution for you.

ZoneAlarm scans all threats from the past 30 days, provides zero ads, and provides 100% privacy to the end-user – your personal information is kept secure. It also consumes very few resources on your iPhone.

ZoneAlarm also provides the following capabilities:

  • Safe Wi-Fi. Connect to public WiFi networks at hotels or airports without worry. ZoneAlarm detects and prevents man-in-the-middle spy attacks and other malicious network behavior.
  • Anti Phishing. Prevents known and zero-day phishing attacks.
  • Safe-Browsing. Blocks websites that try to steal your information
  • Anti-Bot. Prevents bots from stealing data such as credentials, photos, and documents

What else can I do to keep my iPhone safe from viruses?

Below are nine best practices to keep your device secure:

  1. Regularly update your operating system. When you have a new iOS update, Apple may have patched a recent bug or exploit
  2. Turn off cookies in Safari or your other browsing app.
  3. Disable Bluetooth.
  4. Use a VPN if you’re connecting to a public Wi-Fi network
  5. Use your cell service instead of a public Wi-Fi network
  6. If you do use a public Wi-Fi network, connect to a website through HTTPS to prevent man-in-the-middle attacks, and disable your phone’s setting to automatically connect to any nearby Wi-Fi network
  7. Never jailbreak your iPhone. Doing so opens you up to a wide range of threats.
  8. Be aware of unknown ads, e-mails, links, and messages.
  9. Don’t visit suspicious websites. Just because you have an iPhone doesn’t mean you can’t get infected.

How to clear your iPhone of  viruses

If you suspect that your iPhone has a virus, then you may want to do a hard reset. Yes, this step does take time, but it’s better that you spend a few hours resetting your phone rather than living with the fear that a hacker is spying on your every move.

To purge your iPhone of malware, do a hard reset back to factory settings. Here’s how to do a reset:

  1. Back up your iPhone to iCloud or to iTunes on your computer
  2. Go into Settings -> General -> Transfer or Reset iPhone
  3. Tap on the setting that says “Erase All Content and Settings”

Now when your iPhone starts back up again with everything erased, you can set up your iPhone as new or restore your backup. Next, download the applications you were using previously.

If you’re still having trouble or viruses on your iPhone, call Apple’s support or set an appointment with a specialist. They have software that will do a hard scan on your device and remove malicious files that might have escaped your hard reset.

Can iPhones get viruses from Safari?

Not directly. Safari acts as a gateway for hackers, but hackers can utilize other browsers as attack vectors, such as Chrome. In general, it’s best to only visit websites that are legitimate and well-known. Be careful if you’re trying to stream a movie or a sporting event, however.

With these security tips in mind, it’s critical to understand how your iPhone’s operating system works.

iPhones are less likely to get viruses from websites because of how iOS is structured

Apple’s iOS system is well-known for its closed security model, which takes a walled garden approach. This approach requires 3rd party apps to be thoroughly vetted and to fit certain requirements before making it onto the App Store, protecting you from malicious apps. Even if someone downloads a malicious app in an attempt to find an illegal stream of a new movie, their data is secure.

This security approach described above is known as “sandboxing,” and it extends to Safari and other browsing apps that access websites. Sandboxing is the act of restricting third-party apps so that they can’t access files stored by other apps or make changes to the device. An application that’s installed through the App Store can only access its own data, or if a user explicitly allows the app to access data on the device. Furthermore, even if a user allows maximum permissions to the app, a wide range of the iPhone’s functions are permanently blocked off, such as system files and resources.

Apple has taken some additional approaches to improving security. Remote login services are deemed unnecessary, so they aren’t included in the system software. APIs don’t authorize applications to grant themselves privileges to the point where they can modify iOS or other apps.

As a result of the security measures discussed above, one may think that the iPhone is immune if you visit a malicious website.  However, this isn’t always true. If a website opened within a browser app escapes the sandbox, then the security model is no longer viable.

In contrast to iOS, Android devices are at greater risk of being infected by malware. First, while iOS is a closed system, Android’s operating system is open source, which allows hackers to tinker with the code and find vulnerabilities. Second, it’s the carriers – not Google – that choose when or if to patch the security updates on certain model phones. Phone makers can also put out modifications to the Android operating system, and if there’s a vulnerability in the code, then hackers can exploit that. This OS fragmentation creates a much more fertile environment for malware.

Next, let’s discuss a notorious example of malware infecting iOS via websites.

How hackers infected iPhones with viruses using malicious websites

Researchers from Google’s Project Zero discovered malicious websites that have successfully targeted iPhones for over two years. Attackers achieved this by exploiting vulnerabilities related to the mobile browser. If you visited one of the malicious websites, it was enough for the exploit server to infiltrate your device and install a monitoring implant, or spyware.

The hacked websites were using watering hole attacks against people who landed on the site. Google’s research team collected five separate iPhone exploit chains, from iOS 10 all the way to iOS 12, spanning a period of two years. They discovered that the root causes were not novel, likely resulting from lines of code that never worked, code that bypassed QA, or code that barely had any testing before being included in users’ iOS updates.

This spyware allowed hackers to gain unlimited access privileges and extract the following data:

  • Messages from messenger apps such as Telegram, Skype, WhatsApp, and iMessage
  • Mail messages from Gmail, Outlook, Yahoo and apps
  • A history of your calls and SMS
  • Photos
  • Notes
  • The device’s location if GPS is enabled

Furthermore, the contents of the data were transmitted in unencrypted, plain-text. This means that if your iPhone connected to a public W-Fi network, then everyone else can view your sensitive data such as messages, passwords, and more.

For this one campaign that was discovered, there’s almost certainly other malicious campaigns that have yet to be seen.

can iphones get viruses from websites

Example of an extremely sophisticated iPhone attack

While we are discussing attacks delivered via websites, here’s an example of another advanced attack that required zero clicks from the end user. It’s important to note the many attack vectors through which hackers can break into your device – and not just pay attention to the question “Can iPhones get viruses from websites?”

Google Project Zero described this as one of the most sophisticated attacks they had ever seen. This attack created an emulated environment with a function of iOS that managed GIFs but doesn’t normally support scripting abilities. Hackers could use this exploit to remotely hack an iPhone by running Javascript-like code.

The attack was part of an iMessage exploit, exploiting the code that iMessage uses for GIF images. The attacker simply had to send a fake GIF image to its intended target. The victims didn’t even have to click on the link; their device would be hacked if they simply received it.

Because of how iMessage handled the set-up, NSO group found out it was possible to send these fake GIF images and exploit its targeted end users. After discovering his, Apple moved the GIF decoding process into its “BlastDoor” sandbox, where it cleans the data.

Apple has taken legal action because of the NSO Group selling these alleged hacks and exploits. The United States has also placed NSO Group on an official blacklist.

The point of this case study is to illustrate that you should always be careful when using your iPhone. Even if you think you’ve done everything right, there’s always an intelligent threat actor looking for new ways to compromise your device. Always be careful when transmitting sensitive information.

Humans: The weakest firewall

You could have the most technologically advanced firewall and anti-virus on your iPhone, but at the end of the day, humans are the most important line of defense. Over 90% of cyber attacks stem from a phishing e-mail.

Phishing attacks are social engineering threats, often delivered via e-mail, which attempt to fool the reader into giving up their account credentials. For example, a common phishing attack is an e-mail that imitates a message from a well-known bank. This e-mail might urge the user to change their password and threaten that if they don’t, they’ll lose access to their account. A common tactic these attacks use is urgency – pushing the user to take an action with X amount of hours or days – making it substantially more likely for the victim to act irrationally and fall victim to the scam. If the victim does give up their credentials, hackers can drain the victims’ bank accounts.

Phishing attacks aren’t only limited to e-mail, they can also be delivered via text message. You might receive a text message from your “boss” who asks you to purchase a gift card for an event. And once you purchase the gift card, the hacker on the other end will simply use the funds on the gift cards to their own benefit.

How does this relate to getting viruses from websites? You could visit a website whose goal isn’t to get malware from you but to deceive you into giving up your sensitive data and account information. Don’t fall victim to these scams.

Conclusion

While the number of potential viruses that could affect your iPhone is miniscule compared to the thousands of known viruses that could infect your PC, iPhones are not as invincible as many people think they are. To answer the question “Can iPhones get viruses from websites?” the answer is a resounding yes.

Because most people treat their iPhones as integral to their everyday lives, the topic of mobile security deserves more attention than it gets. If a hacker finds a vulnerability in your device and implants malware, everything you say or do can be uploaded into a database to potentially be used against you – which has happened in the past to journalists and other targeted individuals.

However, new vulnerabilities can pop up at any time, and it’s entirely possible for hackers to take advantage of them and never get discovered by security researchers. Although Google’s research team has uncovered and published a number of these, there’s likely a wide array of other vulnerabilities that nation-states and other threat actors are actively exploiting. Therefore, you should always exercise caution and use best practices to keep your iPhone secure.