Apple Urges iOS 9.3.5 Upgrade in Response to Spyware
At one point in time, the idea that we might have to worry about hackers attacking our phones would have been fanciful. Similarly, the thought of a private group using software to spy on individuals through their phones might have felt more at home in a movie. Yet with Apple’s release of the iOS security update 9.3.5 and their urgent insistence for all users to upgrade immediately, it’s hard to deny that is the technological reality.
Known as Pegasus, the software exploited a now-patched vulnerability which allowed it to maliciously insert itself directly into the iOS kernel. In other words, Pegasus could immediately gain access to all important communications on your phone — calls, texts, contacts, photos and more. The most common attack vector was via a malicious link sent through text message. Once a user clicked on the link, the malware went to work. Perhaps even more surprising than the deep access it can have on your phone, though, is the software’s origin.
Pegasus’s genesis lies at NSO Group, a private Israeli group creating software for profit. Research into Pegasus and its creators indicates that the malware likely saw (or continues to see) widespread use in many countries. Due to the way the software infects the iOS kernel, it has “first look” access to all a user’s communications prior to any potential encryption. In other words, an ideal tool for covert espionage and bugging.
Luckily, the efforts of the security community and Apple led to a rapid fix in the form of version 9.3.5. Any users still delaying their upgrade should do so immediately to avoid any potential threat of compromise. Upgrading to iOS 10 will also patch the vulnerability. For those who have concerns about possibly already being infected by the Pegasus malware, Valuewalk provides an excellent guide to detecting and removing the threat. As with any new threat to our digital security, vigilance and thoroughness are the best policies. Ignoring suspicious texts and sticking to safe, mobile friendly websites can help to guard against potential intrusions.
Perhaps one of the most disturbing takeaways from the Pegasus story is the fact that Pegasus and its authors used three separate zero-day exploits to function properly. This shines a light on the continued importance of Apple’s security refinements to iOS and the need for dedication from users and security researchers alike. Though Pegasus has been put to bed, it’s important to continue watching out for the next attempt to hack our phones.