Apple has issued a software patch to block so-called “zero-click” spyware that could infect iPhones and iPads.
The flaw, discovered by independent researchers, allows hackers to access devices via the iMessage service even if users do not click on a link or file.
According to the researchers, the issue affects all of the technology giant’s operating systems.
Apple stated that the security update was released in response to a “maliciously crafted” PDF file.
University of Toronto’s Citizen Lab, which first highlighted the issue, had previously found evidence of zero-click spyware, but “this is the first one where the exploit has been captured so we can find out how it works,” said researcher Bill Marczak.
The previously unknown vulnerability, according to the researchers, affected all major Apple devices, including iPhones, Macs, and Apple Watches.
Citizen Lab also stated that the security flaw was used to install spyware on a Saudi activist’s iPhone, and that it had high confidence that the attack was carried out by the Israeli hacker-for-hire firm, NSO Group.
NSO did not confirm or deny being behind the spyware in a statement to the Reuters news agency, saying only that it would “continue to provide intelligence and law enforcement agencies around the world with life-saving technologies to fight terror and crime.”
According to security experts, while the discovery is significant, most Apple device users should not be overly concerned because such attacks are typically highly targeted.
Apple said in a blog post that it had issued the iOS 14.8 and iPadOS 14.8 software patches after it became aware of a report that the flaw “may have been actively exploited”.
The announcement came as the technology behemoth prepared to reveal new products at its annual launch event on Tuesday.
Apple is expected to unveil new iPhones as well as updates to its AirPods and Apple Watch.
Analysis by Joe Tidy, Cyber Reporter
Apple’s iMessage is one of the most secure messaging apps available, but it clearly had a dangerous flaw that a hacking team discovered and exploited.
Apple, which prides itself on being a secure and safe system, will be embarrassed by the news.
The revelation could be another blow to NSO Group’s reputation, which is still reeling from recent allegations of widespread spy hacking on innocent people.
It also emphasises that no device is completely safe if a determined, well-funded team wants to hack it and is paid well enough to do so.
The best advice from everyone is for iOS users to update their device’s security software as soon as possible to close the security hole.
However, for the vast majority of users, the risk of becoming a victim of this costly and highly skilled hacking is low.