Apple released emergency software updates to its products after security experts at Citizen Lab discovered a vulnerability that allowed Pegasus spyware users to secretly run programs on other people’s devices, Apple said. Updates have been released for iOS, iPadOS, watchOS and macOS. informs The New York Times.
Citizen Lab identified the vulnerability during an analysis of a hacked phone belonging to a Saudi Arabian activist. The virus that used it spread through iMessage and did not require any action on the part of the user to work.
“This spyware can do everything that an iPhone user can do on their device and more,” said John Scott-Railton, senior fellow at Citizen Lab.
Apple specifies that it is enough to send a specially crafted PDF file to infect it.
The update came on the eve of Apple’s presentation, which is expected to showcase new iPhone phone and Apple Watch models.
Pegasus spy software was created by the Israeli company NSO Group. In July, foreign media outlets following a joint investigation reportedthat several governments are using it to spy on journalists, activists and politicians.
Such surveillance, in particular, was carried out by the Hungarian government under the leadership of Prime Minister Viktor Orban, notes The Guardian. Other countries whose authorities used Pegasus against the press include Azerbaijan, Kazakhstan, India, Israel, Bahrain, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates.
17 publications took part in the Pegasus Project investigation, including the American The Washington Post, the British The Guardian, the German Süddeutsche Zeitung and the Israeli newspaper Haaretz. The project was coordinated by Forbidden Stories, a French non-profit organization with technical assistance from Amnesty International.
The investigation is based on a list of 50,000 phone numbers that may have been hacked. The oldest entries on the list, according to media reports, date from 2016. Journalists have identified the owners of thousands of rooms in over 50 countries. Amnesty International’s analysis showed that at least 23 telephones belonging to journalists were successfully infected with Pegasus, and another 14 showed signs of a hacking attempt. Sometimes the phone got infected by the Pegasus program dozens of times.