Malicious websites are hosting special iPhone exploits designed to steal private data such as iMessages, photos and GPS location in real-time — just by visiting the website itself.

Ian Beer, of Google’s security research team Project Zero, said in a blog post on Thursday that hackers exploited iPhone vulnerabilities to surreptitiously place the implant on the phones of users who visited certain hacked websites.

TURN OFF YOUR BLUETOOTH, WARN SECURITY EXPERTS — “There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” he explained. “We estimate that these sites receive thousands of visitors per week.”