How it works
The message in question consists of three characters: A white flag, a zero and a rainbow emoji, and an invisible character known as a “variation sector 16,” or VS16 for short. French iOS developer Vincent Desmurs, who claims to have discovered the bug, believes that the issue is related to Apple’s handling of the variation selector and the emojis preceding it: “What variation selector 16 (VS16) does in this case essentially is tell the device to combine the two surrounding characters into one emoji, yielding the rainbow flag.
“The text you’re copying is actually a waving white flag, VS16, zero, rainbow emoji. What I’m assuming is happening is that the phone tries to combine the waving white flag and the zero into an emoji, but this obviously can’t be done.”
Message recipients experience a full lock up requiring a reboot, or a partial lockup that triggers a quick reboot.
Sending the message isn’t as easy as typing the characters into any old messaging app, luckily. A malicious sender needs to log into the web version of iCloud, paste the special VS16 character into the online Notes app, and then open the saved string on a phone and share it as a text message.
But there’s a second, easier way an ill-meaning texter can slow down, crash, and sometimes freeze an iPhone. It involves the same string of characters embedded within a contacts file, which can be shared to an iMessage contact and crucially executed without the use of iCloud on the web.
This second message, when sent from one iPhone to another, grinds iOS to a halt. It responds sluggishly and in some cases momentarily freezes.
How to protect yourself
The first form of the exploit — the string which includes the special VS16 character — doesn’t work on iOS, 10.2.1. As long as you’ve updated your iPhone to the latest version of Apple’s mobile operating system, you’ve got nothing to worry about.
The second trick, however, works on all versions of iOS. But its implications aren’t as dire as the first exploit. It’s difficult for the sender to avoid crashing his or her own smartphone with the infected contact card, for one. And it doesn’t crash iPhones.
The easiest way to prevent repeated crashes from a malicious message is deleting the entire string. According to The Guardian, though, that’s sometimes easier said than done. Some users have reported having their iPhones repeatedly lock up without being able to delete the malicious string, while others have reported having to send a new message or create one with Siri.
The emoji bug is far from the first of its kind to render an iPhone useless. A nasty video file and malformed link both cause older versions of iOS to freeze and crash without warning. Given the speed with which Apple addressed those vulnerabilities, though, chances are that the newest exploit will be patched before long.