Pegasus spyware uses zero-click exploit to secretly break into Apple devices and take over control without requiring users to click on any link or download anything.

Apple issued a critical security update on Monday because of a “zero-click” exploit found that allowed attackers to take complete control of any Apple computer watch or iPhone simply by sending a message through iMessage.

Security researchers  at Citizen Lab uncovered the flaw, which allows the highly invasive Pegasus spyware – purportedly developed by Israel’s NSO Group – to infect anyone’s iPhone, Apple Watch or Mac computer.

The dangerous aspect of this vulnerability is that it does not require a victim to click on any link or download anything to be affected. That means that victims are highly unlikely to know that they are being infected or exploited. 

Coincidentally or otherwise, the critical update was issued on the eve of Apple’s big conference.

Pegasus uses a novel method to invisibly infect an Apple device without the victim’s knowledge for as long as six months. Known as a “zero-click remote exploit”, it is considered the Holy Grail of surveillance because it allows governments, mercenaries and criminals to secretly break into a victim’s device without tipping them off.

Tim Mackey, Principal Security Strategist, Synopsys Cybersecurity Research Center (CyRC), warned: “Zero-click software or apps should be a high concern for any mobile device user. This class of software doesn’t require any interaction by the user, so no explicit download and no explicit consent is granted.”

While there are legitimate uses for such software – such as for national security intelligence – Mackey finds that the secretive nature of the installation makes it particularly appealing to malicious or criminal groups. “The only real path for end-users to defend against such software is to keep on top of all operating system updates, vendor updates, and maintain an up to date anti-malware solution.”

Jesse Rothstein, CTO and Co-Founder, ExtraHop, commented: “We all carry highly sophisticated personal devices which have profound implications to personal privacy. There are many examples of this such as app data collection – which Apple recently moved to curb with its App Tracking Transparency framework.”

Any sufficiently sophisticated system has security vulnerabilities that can be exploited, said Rothstein, and mobile phones are no exception. 

He added: “Pegasus is an example of how unknown vulnerabilities can be exploited to access highly sensitive personal information. The NSO group is an example of how governments can essentially outsource or purchase weaponized cyber capabilities. This is no different than arms dealing in my view – it’s just not regulated that way. Companies are always going to have to patch their vulnerabilities, but regulations will help prevent some of these cyber weapons from being misused or falling into the wrong hands.”

Eric Nagel, General Manager, APAC, Cybereason, said: “This type of software is generally a scourge. This specific package has been known for a while. What’s novel is the subtle installation. These have happened in the past and should be a top priority to identify and fix for any vendor.”

Nagel warned that now that the vulnerability is known, others will try to use it while the window is still open. “So, patch and fix things,” he advised. “Stay calm and simply get control of your device and download the software updates available from Apple. Do that and move on. Follow Apple instructions if you think you are infected and consult your IT department at work, school, etc. Failing that Apple’s Genius Bar will be able to help.”

With regards to Apple security, his take is that failing is OK, but “failing consistently is not…. With nearly 2 billion iPhone active around the world, 100 million Apple Watches being used and more than 100 million Macs, security can’t be a luxury for Apple and it’s not; it’s a responsibility they take seriously.”

He concluded: “Let’s see how Apple addresses this. They are a generally more secure platform, but they must continue to invest and demonstrate commitment going forward. The most secure platform in the world can be cracked given time unless the security is maintained. An incident or two are not a cause for pitchforks and torches to come out. That comes later if things recur or are dealt with in a cavalier manner.”