Apple users were urged Tuesday to update their devices after the tech giant announced a fix for a major software flaw that allows the Pegasus spyware to be installed on phones without so much as a click.
Cybersecurity experts at the Citizen Lab, a research centre at the University of Toronto, uncovered the flaw while analyzing the phone of a Saudi activist.
That person is among tens of thousands believed to have been targeted with the Israeli-made Pegasus software, which according to media reports has been used worldwide to intercept the communications of activists, journalists and even heads of state.
Apple said Monday that it had "rapidly" developed a software update after Citizen Lab alerted it to the hole in its iMessage software on September 7.
Explosive revelations that governments have spied on people using the hugely invasive software -- which was developed by the NSO Group, a secretive Israeli firm -- have ricocheted around the world since July.
Once Pegasus is installed on a phone, it can be used to read a target's messages, look at their photos, track their movements and even switch on their camera -- all without the person knowing.
The flaw fixed by Apple on Monday is a so-called "zero-click exploit", meaning that it can be installed on a device without the owner needing to do so much as click a button.
But how do such "zero-click" attacks work, and can they be stopped?
- What is a 'zero-click' hack? -
Spying software has traditionally relied on convincing the targeted person to click on a booby-trapped link or file in order to install itself on their phone, tablet or computer.
"Zero-click takes that threat to the next level," said John Scott-Railton, senior researcher at Citizen Lab, the Toronto University cybersecurity centre which discovered the Apple flaw.
With a zero-click attack, the software can sneak its way onto the device without the person needing to be fooled into clicking on the link.
That grants would-be spies much easier access, not least in an era when people have grown increasingly wary of clicking on suspicious-looking messages.
In this case, the malware exploited a hole in Apple's iMessage software to stealthily install Pegasus, a hugely invasive piece of software that essentially turns a phone into a pocket listening device.
Allegations that the software has been used by governments worldwide to eavesdrop on human rights activists, business executives and politicians sparked a global scandal in July.
- Will I know if my phone is infected? -
A simple answer: "No," said Scott-Railton.
"There's nothing you can do as a user to protect yourself from infection, and nothing you're going to see when you're infected," he told AFP.
That is partly why Apple has taken the threat so seriously, he said.
Scott-Railton urged Apple users to install the software update released by the tech giant on Monday.
Apple announced a fix for the problem just under a week after Citizen Lab reported it on September 7.
A fix of this speed is "a rarity, even for a big company", Scott-Railton said.
- Why are messaging apps so vulnerable? -
Revelations of Apple's iMessage flaw come after messaging service WhatsApp discovered in 2019 that it, too, had a zero-click vulnerability that was being used to install Pegasus on phones.
Scott-Railton said the ubiquity of such apps meant it was not surprising that the NSO Group, the scandal-hit Israeli company behind Pegasus, had used them to sneak onto people's devices.
"If you find a phone, there's a good chance that there's a popular messaging app on it," he explained.
"Finding a way to infect phones through messaging apps is an easy and quick way to accomplishing what you want."
The fact that messaging apps allow people to be identified with their phone numbers, which are easily locatable, also "means that there are a huge target for both nation-states and commercial mercenary hacking operations like NSO," he said.
- Can such hacks be stopped? -
Vivien Raoul, chief technical officer at French cybersecurity firm Pradeo, said the discovery of the iMessage flaw was "a good start for reducing the ports of entry, but it's unfortunately not enough to stop Pegasus".
Malware-makers can simply look for other weaknesses in widely used apps, which inevitably include flaws from time to time due to their complexity, say experts.
Google's mobile operating system Android and Apple's iOS regularly "correct a large number of vulnerabilities", Raoul said.
NSO, whose recruits include former elite members of Israeli military intelligence, has formidable resources of its own to invest in the hunt for weak spots, while hackers also sell access to them on the dark web.