Google's Project Zero team dropped a bombshell of a blog post that says malicious websites have hacked iPhones for years whenever someone using one simply visited them. The specifics are interesting if you're into information security, but the gist is that hackers were able to exploit the various levels of iOS security to gain access to private data including photos, passwords, and databases for encrypted messaging apps like WhatsApp and iMessage. And again, all a user had to do was visit a website.
We only hear about an exploit when it's been caught.
Apple promptly patched the vulnerabilities used for these exploits once Google informed it of the findings in February, but still. This went on for over two years and nobody knew except the people involved in stealing the personal data of "thousands of visitors per week." Yikes.
I know most everyone reading this uses an Android phone and probably isn't affected by this in any way. At least, you hope you weren't affected. The scary truth is that there are probably other "hacks" in the wild that work in a very similar way and that your phone is vulnerable.
Hackers (the bad kind of hacker) aren't worried about what type of phone you use. There is a case to be made that iPhone users tend to have more disposable income and are a "better" target when it comes to stealing money, but it's more important to hit as many people as possible if you're trying to steal data. In the U.S. about half of all people with a smartphone use an iPhone, about half use an Android. Doctors, lawyers, and celebrities use Android phones, too. Their passwords, messaging databases, and photos are just as interesting to a hacker.
Android phones are filled with juicy data just like iPhones are.
There aren't a lot of people finding and writing these sorts of attacks, thankfully. There are also not a lot of people trying to find and fix them, either, though. And unfortunately, there isn't much we can do about it.
If you know how to use a proxy service and browse onion links (and no, I'm not going to help you there) you can find places online that sell packages that let you attack smartphones. The easier it is to infect or affect a phone, the higher the price and something that's as automatic as this recent iOS hack that affected even the most recent version are very expensive. But people still buy them, because spending upwards of $3 million dollars for them is a sound investment if you can get enough phones infected. If you can steal a dollar from 3.1 million users, you just turned a tidy profit.
All this should concern you. It doesn't matter if you're the type of person who uses a strong password everywhere and religiously encrypt and lock all your devices or if you're the type who doesn't even have a lock screen in use and all your passwords are "password." You're on the internet right now and there is no guarantee that you won't stumble across a page that has malware of this type embedded. You should use safe practices like only following links you trust from people you trust, but malware is like love and it will find a way.
You don't have to obsess about online security but you should care at least a little.
I'm not going to suggest we go back to a glorious age where no business was done online and risque photos all came from Polaroid Instant Cameras. And you don't need to wear a tinfoil hat and think someone is out to get you every time you pick up your phone. You should, however, care about security just a little bit. Use a company's track record on security whenever you purchase anything that can connect to the internet and keep following the rules like only visiting links you trust, use two-factor authentication when you can, and never using unsecured Wi-Fi.
Remember, this isn't the only exploit of this type out there in the wilds; it was only the one that was caught.