Apple has oreleased an important software update for iPhone to fix Pegasus-related vulnerability after researchers at Citizen Lab found that NSO Group, an Israeli spyware company, had infected Apple products without so much as a click.
Citizen Lab, a Canada-based cybersecurity watchdog, said it has detected "zero-day zero-click exploit against iMessage" which it calls "forcendentry" or "forced entry".
Apple said in a blog post that it had issued the iOS 14.8 and iPadOS 14.8 software patches after it became aware of a report that the flaw "may have been actively exploited". The security update is reportedly in response to a "maliciously crafted" PDF file. The critical software patch is intended to fix a security vulnerability that researchers said could allow hackers to directly infect iPhones and other Apple devices without any user action.
University of Toronto's Citizen Lab Alerted Apple
Hours after releasing the fix, Apple said it had "rapidly" developed the update following Citizen Lab's discovery of the problem, according to AFP.
"Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals," the company said.
According to the Washington Post, the vulnerability has been in use on iOS, watchOS and macOS since at least February. Researchers at the Citizen Lab warned on its blog Tuesday about a "zero-click" exploit. It had been used to infect the phone of a Saudi activist with the help of Pegasus spyware. Apple device users were vulnerable even if they didn't click on anything, according to Mashable.
"We determined that the mercenary spyware company NSO Group used the vulnerability to remotely exploit and infect the latest Apple devices with the Pegasus spyware," Citizen Lab wrote in a post.
Unknown Vulnerability Affected All Major Apple Devices
The researchers said unknown vulnerability affected all major Apple devices including Apple watches, Macs and iPhones. The NSO group in a statement said it will "continue to provide intelligence and law enforcement agencies around the world with life-saving technologies to fight terror and crime."
The Pegasus software from Israeli firm NSO Group has been under intense scrutiny since an international media investigation claimed it was used to spy on the phones of human rights activists, journalists and even heads of state.
Zero-Click Spyware Used to Infect iPhones and iPads
According to The New York Times, Pegasus used a novel method to invisibly infect Apple devices without victims' knowledge. Known as a "zero click remote exploit," it is considered the Holy Grail of surveillance because it allows governments, mercenaries and criminals to secretly break into someone's device without tipping the victim off.
Using the zero-click infection method, Pegasus can turn on a user's camera and microphone, record messages, texts, emails, calls â even those sent via encrypted messaging and phone apps like Signal â and send them back to NSO's clients at governments around the world, reported the Times.