Apple has issued an emergency software update to plug a security flaw allowing spyware that could potentially infect all Apple devices.

The spyware could infect anyone’s iPhone, iPad, Apple Watch or Mac computer.

Researchers from the University of Toronto’s Citizen Lab said the flaw was exploited to infect the iPhone of a Saudi activist with NSO Group’s Pegasus spyware. Citizen Lab calls the exploit FORCEDENTRY.

“In March 2021, we examined the phone of a Saudi activist who has chosen to remain anonymous, and determined that they had been hacked with NSO Group’s Pegasus spyware,” Citizen Lab said.

Israeli firm NSO Group made the spyware. Cybercriminals allegedly used the spyware to surveil journalists and human rights advocates in multiple countries.

The Apple software update plugs a hole in the iMessage software that allowed hackers to infiltrate a user’s phone with spyware without the user clicking on any links, according to Citizen Lab.

Jerry Ray is COO of SecureAge. He said users, whether individuals or companies, should most definitely update their devices as soon as practical.

“The entire game changes the moment these zero-day vulnerabilities become publicly known,” he said. “Even if Apple and others believe that the usefulness of the exploit comes only for targeting select individuals, the public awareness of the vulnerability gives other cybercriminals and hackers the opportunity to consider and create other exploits. They’ll send these exploits far and wide even knowing that Apple has patched the vulnerability, banking on the notion that enough people have not updated their devices and the vulnerability remains.”

Ray said it’s not surprising spyware could infiltrate a tech giant like Apple.

“It’s unlikely that Apple can prevent everything that could possibly be done to exploit MacOS on PCs or iOS on its mobile devices,” he said.

Pegasus Continues to Evolve

Hank Schless is senior manager of security solutions at Lookout. He said Lookout and Citizen Lab first discovered Pegasus back in 2016. Since then, it as has continued to evolve and take on new capabilities.

Lookout’s Hank Schless

“Many apps will automatically create a preview or cache of links in order to improve the user experience,” he said. “Pegasus takes advantage of this functionality to silently infect the device.”

It’s important for both individuals and enterprise organizations to have visibility into the risks their mobile devices present, Schless said.

“Pegasus is an extreme, but easily understandable example,” he said. “From an enterprise perspective, leaving mobile devices out of the greater security strategy can represent a major gap in the ability to protect the entire infrastructure from malicious actors.”

More Emphasis on Mobile Devices Needed

Kevin Dunne is president of Pathlock. He said businesses often focus on their servers and workstations as the primary targets for hacking and espionage. However, businesses now use mobile devices broadly. Moreover, these devices contain sensitive information that needs to be protected.

Pathlock’s Kevin Dunne

“Spyware is primarily targeting these mobile devices and providing critical information to unauthorized parties.” he said. “To protect themselves against spyware, businesses should look at their mobile device security strategy.”

Purandar Das is co-founder and chief security evangelist with Sotero.

Sotero’s Purandar Das

“The money in the underground economy has reached levels where criminals are organizing at scale to capitalize on the unique opportunity,” he said.

The organization funding these hackers likely stood to make million in profits, Das said.