Apple has issued a software patch to block so-called “zero-click” spyware that could infect iPhones and iPads.
Independent researchers identified the flaw, which lets hackers access devices through the iMessage service even if users do not click on a link or file.
The problem affects all of the technology giant’s operating systems, the researchers said.
Apple said it issued the security update in response to a “maliciously crafted” PDF file.
University of Toronto’s Citizen Lab, which first highlighted the issue, said that the previously unknown vulnerability affected all major Apple devices, including iPhones, Macs and Apple Watches.
Citizen Lab said the security issue was exploited to plant spyware on a Saudi activist’s iPhone adding that it had high confidence that the Israeli hacker-for-hire firm, NSO Group, was behind that attack.
NSO did not confirm or deny that it was behind the spyware, but told Reuters that it would “continue to provide intelligence and law enforcement agencies around the world with life-saving technologies to fight terror and crime”.
Security experts have said that although the discovery is significant, most users of Apple devices should not be overly concerned as such attacks are usually highly targeted.
In a blog post, Apple said that it had issued the iOS 14.8 and iPadOS 14.8 software patches after it became aware of a report that the flaw “may have been actively exploited”.