Researchers say Apple iPhones have been infected with spyware, leading to an alarming security failure.

Google’s privacy team says it has discovered a two-year long vulnerability in the Apple’s iPhone software, which means that simply visiting targeted ‘waterhole’ websites leaves users susceptible to a breach.

The analysis says the bug could affect thousands of users per week.

Visiting the unnamed sites could give hackers access to information including the phone’s GPS data, passwords and even conversations on iMessage and WhatsApp.

The issue was uncovered by Google’s Project Zero - an elite arm of Alphabet Inc.’s Google, which employs cybersleuths to hunt for ‘zero day’ vulnerabilities —design flaws exploited by hackers to break into computer systems.

“All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly,” Ian Beer, a Project Zero researcher, wrote in a blog post.

“Treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.”

Project Zero says attackers exploited fourteen different software flaws, including seven specific to Safari, Apple’s built-in web browser.

They developed five distinct entry points to access various features on the phone, allowing them to quietly install malware onto the device without the owner knowing.

A full technical breakdown is accessible here.