NSO Group, a cyber surveillance company in Israel, has developed a technology to break into Apple iPhones, internet security watchdog group Citizen Lab said on Monday.
The discovery is important because of the critical nature of the vulnerability, which requires no user interaction and affects all versions of Apple’s iOS, OSX, and watchOS, except for those updated on Monday.
The tool developed by NSO Group defeats security systems designed by Apple in recent years, Reuters reported.
Apple said it fixed the vulnerability in Monday’s software update, confirming Citizen Lab’s finding.
“After identifying the vulnerability used by this exploit for iMessage, Apple developed and deployed a fix in iOS 14.8 to protect our users,” said Ivan Krstić, head of Apple Security Engineering and Architecture, in a statement.
NSO did not confirm or deny that it was behind the technique, saying only that it would continue to provide intelligence and law enforcement agencies around the world with life-saving technologies to fight terror and crime.
Citizen Lab said it found the malware on the phone of an unnamed Saudi activist and that the phone had been infected with spyware in February. It is unknown how many other users may have been infected.
The intended targets would not have to click on anything for the attack to work. Researchers said they did not believe there would be any visible indication that a hack had occurred.
The vulnerability lies in how iMessage automatically renders images. IMessage has been repeatedly targeted by NSO and other cyber arms dealers, prompting Apple to update its architecture. But that upgrade has not fully protected the system.
“Popular chat apps are at risk of becoming the soft underbelly of device security. Securing them should be top priority,” said Citizen Lab researcher John Scott-Railton.
The FBI has been investigating NSO, and Israel has set up a senior inter-ministerial team to assess allegations that its spyware has been abused on a global scale.
Although NSO has said it vets the governments it sells to, its Pegasus spyware has been found on the phones of activists, journalists and opposition politicians in countries with poor human rights records.