Apple has released a fix to keep people who are using its devices safe from spyware Pegasus. The software developed by Israeli company NSO Group used previously unknown flaws in Apple’s software to deploy Pegasus in users’ devices.
The new version of the spyware was found by Canadian cyber security researchers at Citizen Labs, who discovered Pegasus implanted in the phone of a Saudi activist.
The weakness in Apple’s software allowed for the spyware to be inserted silently without needing to fool the victim into opening suspicious links or files.
So, how does zero click attack works? And can it be stopped? Here’s everything you need to know.
What is a ‘zero-click’ hack?
Spying software has traditionally relied on convincing the targeted person to click on a booby-trapped link or file in order to install itself on their phone, tablet or computer.
“Zero-click takes that threat to the next level,” said John Scott-Railton, senior researcher at Citizen Lab, the Toronto University cybersecurity centre which discovered the Apple flaw.
With a zero-click attack, the software can sneak its way onto the device without the person needing to be fooled into clicking on the link.
What was the weakness in Apple’s software?
The malware exploited a hole in Apple’s iMessage software to stealthily install Pegasus, a hugely invasive piece of software. It would allow spies to turn a phone into a pocket listening device and grant them much easier access.
Allegations that the software has been used by governments worldwide to eavesdrop on human rights activists, business executives and politicians sparked a global scandal in July.
How to know if an iPhone is infected?
Security analysts say it’s not possible to know if a phone is infected. “There’s nothing you can do as a user to protect yourself from infection, and nothing you’re going to see when you’re infected,” Scott-Railton told news agency AFP.
He asked all those who have an iPhone to install the latest security update as soon as possible. Apple announced a fix for the problem just under a week after Citizen Lab reported it on September 7.
Before this latest security threat to iMessage, WhatsApp discovered in 2019 that it, too, had a zero-click vulnerability that was being used to install Pegasus on phones.