The malware was found on the phone of an unidentified Saudi activist by Canada’s Internet security watchdog Citizen Lab.
This is the first time that a “zero click” exploit – which affects all of the phone’s operating systems – has been detected and analyzed.
The phone was reportedly infected in February, although researchers discovered the malicious code on September 7 and alerted Apple immediately.
Ivan Krstić, Head of Engineering and Security Architecture at Apple, said: “After identifying the vulnerability used by this exploit for iMessage, Apple quickly developed and deployed a patch in iOS.
14.8 to protect our users.
“Attacks like the ones described are very sophisticated, cost millions of dollars to develop, often have a short lifespan, and are used to target specific individuals. “
“While this means that they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all of our customers, and we are constantly adding new protections for their devices and data,” said he added.
Citizen Lab researcher Bill Marczak said there was great confidence that Israeli surveillance firm NSO Group was behind the attack, although it was “not necessarily” attributed to the Saudi government. .
In a statement to Reuters, NSO neither confirmed nor denied that it was behind the technique, saying only that it “would continue to provide intelligence and law enforcement services around the world with vital technologies to fight against terrorism and crime ”.
Citizen Lab has already found evidence of clickless malware being used to hack the phones of some journalists and other targets, but Mr Marczak said this was the first time that software had been captured “so that we can find out how it works ”.
Security experts said the average user didn’t need to worry too much as such attacks tend to be very targeted, but the exploit was still alarming.
Mr Marczak said malicious files were placed on the Saudi activist’s phone through the iMessage app before the phone was hacked with NSO’s Pegasus spyware.
This meant that the phone was able to spy on its user, without him even knowing it.
Citizen Lab researcher John Scott-Railton said: “Popular chat apps risk becoming the soft underbelly of device security. Securing them should be the top priority.
In July, it was reported that NSO Group spyware used to target journalists, political dissidents and human rights activists.
NSO Group claims its spyware is only used by governments to hack the cell phones of terrorists and serious criminals, but a leaked list of more than 50,000 phone numbers of interest to the company’s customers suggests it is used much more widely.
More than 1,000 people in 50 countries have been selected for potential surveillance – including 189 journalists and more than 600 politicians and government officials, according to Forbidden Stories and Amnesty International, a Paris-based non-profit newspaper, as well as their media partners .
Mr Marczak said on Monday: “If Pegasus had only been used against criminals and terrorists, we would never have found this stuff. “
It has also been reported that the FBI is investigating the NSO group and that Israel has established a high-level interdepartmental team to investigate the allegations regarding the use of the spyware.