Apple has issued an emergency software update after a flaw was found that allows spyware attributed to Israel’s NSO Group to infect an iPhone, Apple Watch, or Mac computer without the user having to click on anything.
The malware was found on the phone of an unidentified Saudi activist by Canadian internet security watchdog Citizen Lab.
It is the first time that a “zero-click” exploit – which affects all of the phone’s operating systems – has been caught and analysed.
The phone is thought to have been infected in February, although the researchers discovered the malicious code on 7 September and immediately alerted Apple.
Apple said in a blog post on Monday that it had issued a security update for iPhones and iPads because of a “maliciously crafted” PDF file that could lead to them being hacked.
It said it was aware that the issue may have been exploited, citing Citizen Lab.
Citizen Lab researcher Bill Marczak said there was high confidence that Israeli surveillance firm NSO Group was behind the attack, although it was “not necessarily” being attributed to the Saudi government.
Citizen Lab has previously found evidence of zero-click malware being used to hack the phones of some journalists and other targets but Mr Marczak said this was the first time one had been captured “so we can find out how it works”.
Security experts have said that the average user does not need to be too concerned, as such attacks tend to be highly targeted, but the exploit was still alarming.
Mr Marczak said that malicious files were put on the Saudi activist’s phone via the iMessage app before the phone was hacked with NSO’s Pegasus spyware.
This meant the phone was then able to be used to spy on its user, likely without them even knowing.
Citizen Lab researcher John Scott-Railton said: “Popular chat apps are at risk of becoming the soft underbelly of device security. Securing them should be top priority.”
In July it was reported that NSO Group’s spyware had been used to target journalists, political dissidents and human rights activists.
NSO Group says that its spyware is only used by governments to hack the mobile phones of terrorists and serious criminals, but a leaked list featuring more than 50,000 phone numbers of interest to the company’s clients suggested that it is being used much more broadly.
More than 1,000 individuals in 50 countries were allegedly selected for potential surveillance – including 189 journalists and more than 600 politicians and government officials, according to Paris-based journalism non-profit Forbidden Stories and Amnesty International, as well as their media partners.
Mr Marczak said on Monday: “If Pegasus was only being used against criminals and terrorists, we never would have found this stuff.”
It has also been reported that the FBI is investigating NSO Group, and Israel has set up a senior inter-ministerial team to examine the allegations surrounding how the spyware is being used.