The flaw, which affects all of the technology giants operating systems, lets hackers access devices through the iMessages app, even if the user doesn’t click on a malicious link or file.
Disclosed on Monday by The University of Toronto’s Citizen Lab, the exploit allowed a hacker using NSO’s Pegasus malware to gain access to a device owned by an unnamed Saudi activist.
Although examples of zero click spyware had been seen before, Citizen Lab researcher Bill Marczak said, “this is the first one where the exploit has been captured so we can find out how it works.”
Security experts have said that although the zero day discovery is significant, most users of Apple devices should not be overly concerned as such attacks are usually highly targeted.
Apple said in a blog post that it had issued the iOS 14.8 and iPadOS 14.8 software patches after it became aware of a report that the flaw “may have been actively exploited”.
Commenting on this, Tim Mackey, principal security strategist at, principal security strategist at the Synopsys Cybersecurity Research Centre, said: “Zero-click software or apps should be a high concern for any mobile device user.
This class of software doesn’t require any interaction by the user, so no explicit download and no explicit consent is granted. While there are legitimate uses for this class of software, the secretive nature of the installation makes it particularly appealing to malicious or criminal groups.
“The only real path for end users to defend against such software is to keep on top of all operating system updates, vendor updates, and maintain an up to date anti-malware solution.”
- The power of FinTech responding to the world’s humanitarian crises
- Royal Navy’s latest designs embrace autonomous tech
- Scots entrepreneurs gain £36m in investments with ‘unlocking ambition’
In a statement, head of security engineering and architecture at Apple, Ivan Krstić, said: “After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users,”
“We’d like to commend Citizen Lab for successfully completing the very difficult work of obtaining a sample of this exploit so we could develop this fix quickly.”
Krstić added that attacks like this one are “highly sophisticated, cost millions of dollars to develop, often have a short shelf life and are used to target specific individuals.”
Citizen Lab said the security issue was exploited to plant spyware on a Saudi activist’s iPhone, adding that it had high confidence that the Israeli hacker-for-hire firm, NSO Group, was behind that attack.
In a statement to the Reuters news agency, NSO did not confirm or deny that it was behind the spyware, saying only that it would “continue to provide intelligence and law enforcement agencies around the world with life-saving technologies to fight terror and crime”.