Apple has released an emergency patch for iOS to fix a glaring security flaw that allowed a Pegasus-linked spyware to infect devices without malicious links or messages.
Researchers at Canada-based cybersecurity watchdog Citizen Lab found the glitch while analysing a Saudi activist’s compromised phone.
In a post, Citizen Lab wrote: “We determined that the mercenary spyware company NSO Group used the vulnerability to remotely exploit and infect the latest Apple devices with the Pegasus spyware.”
Hours after the iOS 14.8 fix was released, Apple said it developed the update “rapidly” following Citizen Lab’s discovery.
It said such attacks were highly sophisticated, were expensive to develop, had a short shelf life, and often targeted specific individuals.
The Pegasus malware, developed by Israeli security agency NSO Group, has faced severe scrutiny after an international media investigation revealed that it was used to spy on the smartphones of journalists, human rights activists, and top politicians.
Citizen Lab, in March, examined the Saudi Arabian activist’s phone and found that it was hacked using the Pegasus malware introduced through iMessage that did not require a click.
The Pegasus spyware was first uncovered five years ago by cyber security company Lookout and Citizen Lab. Since then, it has evolved to become much more effective.
The spyware can be deployed as a “zero-click exploit,” allowing it to install itself without the user clicking an infected file or link, Lookout Senior Manager Hank Schless told Agence France-Press.
Schless said many apps automatically create a link preview or cache to improve user experience, adding that Pegasus uses this functionality to silently infect devices.
United Nations experts recently called on the international community to impose a moratorium on the sale of surveillance technology until regulations for the protection of human rights could be implemented.
In July, an international media investigation found that several governments used the NSO Group’s Pegasus malware to keep a tab on journalists, activists, and politicians. The malware can switch on a phone’s microphone or camera to harvest data. Several Indian names also featured in the list of people spied on using Pegasus. The Indian government, however, has refused to reveal if it is a client of the NSO Group.