Apple has issued an urgent software update following the discovery of a malware that can infect devices without users clicking on anything.
Internet security watchdog group Citizen Lab yesterday announced it found a flaw, attributed to Israel's NSO Group, that allows an attacker to hack into a device making the user unable to spot it.
The malware was found on the phone of a Saudi activist and discovered on September 7 by researchers who immediately alerted Apple.
Citizen Lab said the phone had been infected with spyware in February and at the moment it is not clear how many other users may have been infected.
Researcher Bill Marczak said there was high confidence that Israeli surveillance firm NSO Group was behind the attack.
Experts said the average user should not be too concerned as similar attacks tend to be highly targeted, but the security issue was alarming.
Mr Marczak said the malicious files were put on the Saudi activist's phone via the iMessage app before the phone was hacked with NSO's Pegasus spyware.
The way the attack happened meant that the phone was able to spy on its user, without them even knowing.
Citizen Lab researcher John Scott-Railton said: "Popular chat apps are at risk of becoming the soft underbelly of device security. Securing them should be top priority."
Apple has since released an update for users, with a security note for iOS 14.8 and iPadOS 14.8 saying: "Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited."
It also released WatchOS 7.6.2, MacOS Big Sur 11.6 as well as a security update for MacOS Catalina to address the vulnerability, the Irish Mirror reports.
Ivan Krstić, head of Apple Security Engineering and Architecture, said in a statement: "After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users.
"Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals."
He added: "While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data."
