Apple has issued an urgent update to its iPhone software to shut out spyware that infected users through its iMessage app, allegedly designed by Israeli firm NSO Group.
The malware was able to infect iPhones, MacBooks and iPads by using a malicious PDF file that could force entry onto the phones without it even being opened.
In a security update, Apple said it had fixed the flaw but warned it “may have been actively exploited”.
The spyware was reported by the University of Toronto’s Citizen Lab, which attributed it to NSO Group, an Israeli company that designs software aimed at infiltrating the phones of criminals and terrorists.
However, Citizen Lab and activist groups have claimed the software has been used to target dissidents. They have accused NSO Group of supplying its “Pegasus” software, which was able to infiltrate phones via WhatsApp calls, to authoritarian regimes.
NSO Group said it would "continue to provide intelligence and law enforcement agencies around the world with life saving technologies to fight terror and crime”.
Citizen Lab said it had discovered the virus while analysing the phone of a Saudi activist infected with NSO’s Pegasus spyware and reported it to Apple on September 7. On Monday, the iPhone maker confirmed the files included a so-called “zero-day” exploit against its smartphone software.
Researchers at Citizen Lab said: “Our finding highlights the paramount importance of securing popular messaging apps. Ubiquitous chat apps have become a major target for the most sophisticated threat actors.”
Ivan Krstić, head of security engineering at Apple, said such attacks were “highly sophisticated, cost millions of dollars to develop, often have a short shelf life and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”
The revelation comes ahead of Apple’s planned iPhone launch event, which starts later on Tuesday.
Apple’s fixes to the new malware will be included as part of its iOS 14.8 and iPadOS 14.8 software updates.