Two iOS Exploits Just Hit 100M+ iPhones — How To Check Yours

TL;DR

Two zero-day iOS exploit chains — Karuna and DarkSword — targeted hundreds of millions of iPhones; update immediately or enable Lockdown Mode to stay protected.

Key Points

• 1.Karuna is a sophisticated five-chain iOS exploit targeting versions 13–17.2.1. It includes WebKit remote code execution, PAC bypass, sandbox escapes, kernel privilege escalation, and a page protection layer bypass; Lockdown Mode or private browsing stops it entirely.
• 2.DarkSword is a second iOS exploit targeting iOS 18 devices, prevalent in the Russia-Ukraine conflict. A quarter of iPhones still ran iOS 18 at time of reporting; visiting a malicious website alone is enough to trigger the attack.
• 3.Users can check for both exploits using the free iVerify app. iVerify confirmed it can scan for both Karuna and DarkSword; Apple also pushed a Background Security Improvement update (iOS 26.3.1a) which may patch related vulnerabilities.
• 4.Google's new 'advanced flow' for Android sideloading requires seven steps, developer verification, and a 24-hour wait. Critics argue enabling developer mode actually increases security risks and that Google is covertly closing Android's open ecosystem while denying it.
• 5.Meta's OS-level age verification push is secretly self-serving. Meta backed the Digital Childhood Alliance with part of a $70M fragmented super PAC strategy; proposed laws burden Apple and Google's app stores but spare Meta's social media platforms.
• 6.Instagram quietly killed end-to-end encryption in DMs on May 8th. Unlike Facebook Messenger — where Meta made E2EE the default — Instagram chose to disable it entirely rather than expand it, signaling a broader retreat from privacy commitments.
• 7.The EU parliament voted to reject untargeted mass scanning of private chats (Chat Control). However, the EPP conservatives immediately moved to overturn the vote within hours; Patrick Breyer is leading continued opposition.
• 8.The FBI confirmed it buys location data from private companies to bypass warrant requirements. Third-party SDKs inside everyday apps like games collect location data that law enforcement agencies including ICE and local police purchase to track U.S. citizens.
• 9.Colorado and California are pushing OS-level age verification laws that would apply to Linux and open-source software. System76's CEO is lobbying lawmakers for an open-source exemption; the EU's alternative uses zero-knowledge proofs to verify age without exposing personal identity.