Apple has released a critical software patch to fix a major security vulnerability, after researchers discovered that spyware could exploit it to directly hack into iPhones and other Apple devices without a user click.

Researchers at the Citizen Lab at the University of Toronto said they found malicious image files being transmitted to the phone of a Saudi activist, who wished to remain anonymous, via the iMessage instant messaging app. The device was then hacked by Pegasus spyware, developed by the Israeli group NSO, they said.

Citizen Lab, which called the iMessage exploit Forcedentry, said the security vulnerability makes phones susceptible to remote eavesdropping and data theft, and that it applies to all Apple devices. Forensics revealed that the activist's phone had been infected in March, adding that the malicious files caused the phone to crash.

The vulnerability was found on the activist's iPhone on September 7, after which Citizen Lab said it had immediately alerted Apple. The NSO group licenses its Pegasus spyware tool to government agencies and law enforcement to investigate criminal activity, but Citizen Lab researcher Bill Marczak stated, "We don't necessarily attribute this attack to the Saudi government."

In a statement, NSO Group said it will continue to provide tools to fight "terror and crime."

Related

Pegasus, which is also a zero-click exploit, does not require users to click on any suspicious links or open infected files, and is considered the pinnacle of surveillance technology, allowing hackers to enter the a person's phone without alerting the victim.

Apple, in a blog post, said it was issuing a security update for iPhones and iPads because a "maliciously crafted" PDF file could lead to hacking. Apple's chief security officer, Ivan Krstic, also issued a statement saying that "after identifying the vulnerability used by this iMessage exploit, Apple quickly developed and deployed a fix in iOS 14.8 to protect our users."

He added that in the past, these kinds of exploits used to cost millions of dollars to develop and used to have a short lifespan. While it's unclear at this time how many Apple users could have been targeted using this vulnerability, Krstic said such exploits "are not a threat to the vast majority of our users."

Read More: Apple delays introduction of photo scanning features indefinitely after widespread protests

Users should get alerts on their iPhones to update the phone's iOS software. The critical update comes ahead of an Apple event on Tuesday where the tech company was scheduled to unveil a new product.

Citizen Lab alleged that its findings undermine the Israeli company's claim that it sells software to law enforcement for use against criminals and terrorists and that it audits customers to ensure that Pegasus is not being misused.

"If Pegasus was only used against criminals and terrorists, we would never have found this material," Marczak said.

In early July, a global media consortium published a series of reports on the use of Pegasus to spy on journalists, activists, opposition leaders, and political dissidents.

Reports revealed that the phone of Washington Post journalist Jamal Khashoggi's fiancée was infected with the software just four days after he was assassinated at the Saudi consulate in Istanbul in 2018. The CIA held the Saudi government responsible for the murder.

The revelations also sparked protests in parliament against Indian Prime Minister Narendra Modi's government for alleged use of spyware against political opponents. So far, the government has neither accepted nor denied the espionage charges.

In Hungary, allegations of espionage have led to calls for an investigation against the right-wing government, while in France the government is also trying to investigate allegations that an unnamed Moroccan security service used Pegasus to target President Emmanuel Macron and terrorists. members of his government in 2019. Morocco, an ally of France, has denied the allegations.

Additional Agency Reports