This is terrifying... most people do not hard reset their phones ever (even when upgrading). What are the odds that these payloads are floating around despite the exploits being patched?
From the article, a reboot will do it. You dont need a hard reset :
"The implant binary does not persist on the device; if the phone is rebooted then the implant will not run until the device is re-exploited when the user visits a compromised site again. "
The implant is gone, but the attacker still has keychain data and can/did/does use it to continue downloading data in clear text:
βThe implant uploads the device's keychain, which contains a huge number of credentials and certificates used on and by the device.
...
The keychain also contains the long-lived tokens used by services such as Google's iOS Single-Sign-On to enable Google apps to access the user's account. These will be uploaded to the attackers and can then be used to maintain access to the user's Google account, even once the implant is no longer running.
...
There's something thus far which is conspicuous only by its absence: is any of this encrypted? The short answer is no: they really do POST everything via HTTP (not HTTPS) and there is no asymmetric (or even symmetric) encryption applied to the data which is uploaded. Everything is in the clear.β
