The software update that Apple just released for every iPhone and iPad doesn’t activate any new features—but it does patch three enormous security holes that would allow a savvy hacker to access just about every corner of an iOS device.
If exploited correctly, those flaws allow an intruder unprecedented access to an iPhone. They allow attackers to read every email, text message, calendar item, and file saved on the device; peruse photos and videos; listen in on phone calls; track the device’s location; and remotely turn on its microphone and camera. The phone’s owner would have no idea that anything out of the ordinary was going on.
The vulnerability was discovered by security researchers at Lookout, a mobile software security company, and Citizen Lab, a technology-focused academic research center at the University of Toronto. The researchers there were tipped off by a human-rights activist in the United Arab Emirates, who forwarded a pair of suspicious-looking text messages he received earlier this month from an unknown number. When they examined the link included in the text, they found that it led to a site designed to infect phones with a very advanced virus. The discovery was first reported by Motherboard and The New York Times.
“We realized that we were looking at something that no one had ever seen in the wild before,” Mike Murray, Lookout’s vice president for research, told Motherboard. “One of the most sophisticated pieces of cyber-espionage software we’ve ever seen.” Documentation that describes how the malware works indicates it can “self-destruct” if it’s in danger of being found, silently erasing itself off of the phone.
The security researchers reverse-engineered the malware in order to find out who had created it. The signs they found pointed to NRO, a shadowy Israeli cyberspying company.
The researchers also found references to versions of Apple’s mobile operating system as old as iOS 7, which was first released in 2013, suggesting that the vulnerability has existed for years.
Ahmed Mansoor, the UAE-based activist, first received the shady text messages on August 10. After the security researchers he shared them with dissected the code, they shared their findings with Apple. It took the company 10 days to develop and release a fix. (It’s unclear whether installing the iOS update will remove the malware if it’s already been downloaded and activated.)
To download the software update on an iPhone, open the Settings app, tap General, and then tap Software Update. Do it now.