Apple was forced to issue an emergency software patch on Monday as it was reported that devices such as iPhones were vulnerable to a new "no-click" security flaw.
Here is everything we know about the security vulnerability — and if you should be concerned.
What is the security flaw?
Researchers have discovered the hackers can exploit an Apple software vulnerability to break into devices such as iPhones, using a never-before-seen technique that does not need users to click on anything to facilitate the attack.
The vulnerability lies in how iMessage automatically renders images, internet security watchdog group Citizen Lab said on Monday.
How was the flaw discovered?
Citizen Lab said it found the malware on the phone of an unnamed Saudi activist.
Malicious image files were transmitted to the activist’s phone via the iMessage instant-messaging app before it was hacked with spyware which opens a phone to eavesdropping and remote data theft.
Who is behind the attack?
Citizen Lab believes the tool to exploit Apple's security vulnerability was developed by a cyber surveillance company based in Israel named NSO Group.
Citizen Lab said multiple details in the malware overlapped with prior attacks by NSO, including some that were never publicly reported. One process within the hack's code was named "setframed," the same name given in a 2020 infection of a device used by a journalist at Al Jazeera.
An Apple spokesperson declined to comment on whether the hacking technique came from NSO Group.
In a statement to Reuters, NSO did not confirm or deny that it was behind the technique, saying only that it would "continue to provide intelligence and law enforcement agencies around the world with life-saving technologies to fight terror and crime."
How long was the security flaw in place?
The security vulnerability flew under the radar of Apple for at least six months, with Citizen Lab saying the technique has been in use since at least February.
How many people are affected?
It is unknown how many other users may have been infected, and researchers said they did not believe there would be any visible indication that a hack had occurred.
The security vulnerability affects all versions of Apple's iOS, OSX, and watchOS, except for those updated from Monday with an emergency software patch from Apple.
Should I be concerned that I have been targeted?
Security experts say that average iPhone, iPad and Mac users generally need not worry, as such attacks tend to be highly targeted.
Ivan Krstić, head of Apple Security Engineering and Architecture, said such attacks are "highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals."
"While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data," he added.
What can I do to protect my device?
Apple said it fixed the security vulnerability in a software update made available on Monday.
"After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users," said Apple's Mr Krstić.
Could a security breach happen again – or be happening right now?
Apple's iMessage has been repeatedly targeted by NSO and other cyber arms dealers, prompting Apple to update its architecture, but upgrades evidently failed to fully protect the system.
Citizen Lab researcher Bill Marczak said the security of devices is increasingly challenged by attackers.
A record number of previously unknown attack methods, which can be sold for $1 million or more, have been revealed this year. The attacks are labeled "zero-day" because software companies had zero days' notice of the problem.
Along with a surge in ransomware attacks against critical infrastructure, the explosion in such attacks has stoked a new focus on cybersecurity in the White House as well as renewed calls for regulation and international agreements to rein in malicious hacking.
The FBI has been investigating NSO, and Israel has set up a senior inter-ministerial team to assess allegations that its spyware has been abused on a global scale.
Although NSO has said it vets the governments it sells to, its Pegasus spyware has been found on the phones of activists, journalists and opposition politicians in countries with poor human rights records.
