Apple has released security updates for a zero-day vulnerability that affects every iPhone, iPad, Mac and Apple Watch. Citizen Lab, which discovered the vulnerability and was credited with the find, has urged users to immediately update their devices.
The technology giant said iOS 14.8 for iPhones and iPads, as well as new updates for Apple Watch and macOS, will fix at least one vulnerability that it said "may have been actively exploited."
The Pegasus software from Israeli firm NSO Group has been under intense scrutiny since an international media investigation claimed it was used to spy on the phones of human rights activists, journalists, and even heads of state.
Researchers at Citizen Lab, a cybersecurity watchdog organisation in Canada, found the problem while analysing a Saudi activist's phone that had been compromised with the code.
"We determined that the mercenary spyware company NSO Group used the vulnerability to remotely exploit and infect the latest Apple devices with the Pegasus spyware," Citizen Lab wrote in a post.
In March Citizen Lab examined the activist's phone and determined it was hacked with Pegasus spyware introduced via iMessage texting and that it didn't even require the phone's user to so much as click.
Hours after releasing the fix, Apple said it had "rapidly" developed the update following Citizen Lab's discovery of the problem.
"Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals," the company said.
Pegasus has evolved to become more effective since it was uncovered by Citizen Lab and cyber security firm Lookout five years ago.
Pegasus can be deployed as a "zero-click exploit," meaning that the spyware can install itself without the victim even clicking a booby-trapped link or file, according to Lookout senior manager Hank Schless.
An international media investigation reported in July that several governments used the Pegasus malware, created by NSO Group, to spy on activists, journalists, and politicians.
Pegasus can switch on a phone's camera or microphone and harvest its data.
"It is highly dangerous and irresponsible to allow the surveillance technology and trade sector to operate as a human rights-free zone," the United Nations human rights experts said in a statement at the time.
The statement was signed by three special rapporteurs on rights and a working group on the issue of human rights and transnational corporations and other businesses.