Israeli firm NSO Group’s Pegasus software has come under intense scrutiny since an international media investigation claimed it was used to spy on the phones of human rights activists, journalists and even heads of state.
Researchers at Citizen Lab, a cybersecurity watchdog organization in Canada, found the problem while analyzing the phone of a Saudi activist who had been compromised with the code.
“We determined that the mercenary spyware company NSO Group used the vulnerability to remotely exploit and infect the latest Apple devices with the Pegasus spyware“Citizen Lab wrote in a post.
In March, Citizen Lab examined the activist’s phone and determined that it had been hacked with Pegasus spyware introduced via iMessage text messages and that it did not even require the user of the phone to click.
Hours after releasing the fix, Apple said it had developed the update “quickly” after Citizen Lab discovered the problem.
“Attacks such as those described are highly sophisticated, cost millions of dollars to develop, often have a short lifespan, and are used to target specific individuals,” the company said.
NSO did not dispute that Pegasus had pushed for the urgent update of the software and said in a statement that it “will continue to provide intelligence and law enforcement agencies around the world with life-saving technologies to combat terrorism and crime.”
Pegasus has evolved to become more effective since it was discovered by Citizen Lab and cybersecurity firm Lookout five years ago.
Pegasus can be deployed as a “no-click exploit,” meaning spyware can be installed without the victim clicking on a booby-trapped link or file, according to Lookout Senior Manager Hank Schless.
“Many applications will automatically create a link preview or cache to improve the user experience,” said Schless.
“Pegasus takes advantage of this functionality to silently infect the device.”
UN experts recently called for an international moratorium on the sale of surveillance technology until regulations to protect human rights are implemented following an Israeli spyware scandal.
An international media investigation reported in July that several governments used the Pegasus malware, created by the NSO Group, to spy on activists, journalists and politicians.
Pegasus can turn on a phone’s camera or microphone and collect its data.
“It is very dangerous and irresponsible to allow surveillance technology and the commercial sector to operate as a human rights free zone,” United Nations human rights experts said in a statement at the time.
The declaration was signed by three special rapporteurs on rights and a working group on the subject of human rights and transnational corporations and other companies.
Israel’s defense establishment has established a committee to review NSO’s business, including the process by which export licenses are granted.
NSO insists its software is designed to be used only in the fight against terrorism and other crimes, and says it exports to 45 countries.