Researchers at Citizen Lab found that NSO Group, an Israeli spyware company, had infected Apple products without so much as a click.
...Apple’s security team had worked around the clock to develop a fix since Tuesday, after researchers at Citizen Lab, a cybersecurity watchdog organization at the University of Toronto, discovered that a Saudi activist’s iPhone had been infected with an advanced form of spyware from NSO.
The spyware, called Pegasus, used a novel method to invisibly infect Apple devices without victims’ knowledge. Known as a “zero click remote exploit,” it is considered the Holy Grail of surveillance because it allows governments, mercenaries and criminals to secretly break into someone’s device without tipping the victim off.
Using the zero-click infection method, Pegasus can turn on a user’s camera and microphone, record messages, texts, emails, calls — even those sent via encrypted messaging and phone apps like Signal — and send them back to NSO’s clients at governments around the world.
“This spyware can do everything an iPhone user can do on their device and more,” said John Scott-Railton, a senior researcher at Citizen Lab...
The discovery means that more than 1.65 billion Apple products in use worldwide have been vulnerable to NSO’s spyware since at least March.
In the past, victims learned their devices were infected by spyware only after receiving a suspicious link texted to their phone or email, and sharing the link with journalists or cybersecurity experts. But NSO’s zero-click capability meant victims received no such prompt, and the flaw enabled full access to a person’s digital life. Such abilities can fetch millions of dollars on the underground market for hacking tools, where governments are not regulators but are clients and are among the most lucrative spenders.
...
NSO has long drawn controversy. The company has said that it sells its spyware only to governments that meet strict human rights standards and that it expressly requires customers to agree to use its spyware only to track terrorists or criminals.
But over the past six years, NSO’s Pegasus spyware has turned up on the phones of activists, dissidents, lawyers, doctors, nutritionists and even children in countries like Saudi Arabia, the United Arab Emirates and Mexico.