According to the company's Project Zero security researchers, people visiting one of the websites - of which the team found several - risked compromising their photos, messages and location data.
In a blog post this week, Project Zero's Ian Beer said: "There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant.
"We estimate that these sites receive thousands of visitors per week."
The team passed on its findings to Apple earlier this year, and the vulnerability was fixed in the same update that patched the FaceTime eavesdropping issue.
It should be noted the attacks are rare displays of vulnerability for the generally highly secure iPhone devices.
Indeed, the tech giant has offered up to $1 million in bug bounties for researchers who find critical security issues on its devices.
Google's researchers found that rather working off any sole vulnerability, the hack instead used 14 zero-day vulnerabilities over five independent exploit chains.
The hackers targeted iPhone users over at least two years - from iOS 10 to the current iOS 12 - but Apple issued a patch less than a week after Google disclosed the problem in February.