Apple on September 13 released an emergency update to fix a flaw that allowed spyware at the heart of the Pegasus scandal to infect iPhone and other iOS devices without users even clicking on a malicious message or link.
Hours after releasing the fix, Apple said it had “rapidly” developed the update following Citizen Lab’s discovery of the problem.
“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals,” the company said.
“We determined that the mercenary spyware company NSO Group used the vulnerability to remotely exploit and infect the latest Apple devices with the Pegasus spyware,” Citizen Lab wrote in a post.
Pegasus can be deployed as a “zero-click exploit,” meaning that the spyware can install itself without the victim even clicking a booby-trapped link or file, according to Lookout senior manager Hank Schless.
“Many apps will automatically create a preview or cache of links in order to improve the user experience,” Schless said.
