Apple recently released iOS 9.3.5, which, for all intents and purposes, was viewed as another minor security update following another minor security update issued earlier in the month.
However, as reported by The New York Times, it looks like iOS 9.3.5 was actually meant to patch a pretty sizable security exploit that was being used to obtain, or otherwise expose, a variety of different secure elements on a person’s iPhone, including their text messages, contacts, emails, and even phone call information. According to the report, the exploit was being used to track journalists, as well as other individuals.
“Investigators discovered that a company called the NSO Group, an Israeli outfit that sells software that invisibly tracks a target’s mobile phone, was responsible for the intrusions. The NSO Group’s software can read text messages and emails and track calls and contacts. It can even record sounds, collect passwords and trace the whereabouts of the phone user.”
The report goes further, saying that Apple fixed the patch 10 days after it was discovered, and that iOS 9.3.5 is meant to address the issue as a whole.
“In response, Apple on Wednesday released a patched version of its mobile software, iOS 9.3.5. Users can get the patch through a normal software update.”
In a separate report from VICE, the company behind the malware, NSO, is profiled a bit more. The company apparently dates back to 2010, and has been used by governments in the past to track mobile devices, and access information upon those devices.
“Since its founding in 2010, NSO has developed a reputation for providing sophisticated malware to governments that need to target cellphones in their investigations, although the use of its tools has never been documented before. The company claims that its products are completely stealthy, like a “ghost.” The company has been so guarded about its wares that it’s never had a website, and has rarely given interviews or any comments to the press. But some information has leaked out, including a sale for $120 million to a US-based venture capital firm in 2014 and a subsequent reported valuation of $1 billion.
NSO’s malware, which the company codenamed Pegasus, is designed to quietly infect an iPhone and be able to steal and intercept all data inside of it, as well as any communication going through it.”
The report also states that this intrusion has been available to NSO since 2007, which means iPhones dating back to the iPhone 5 have apparently been accessible. Today’s update appears to only cover iOS 9-based devices, and there doesn’t appear to be any word from Apple at this time if older handsets are protected from the exploit. However, it has been confirmed that the latest iOS 10 beta release, which was released on August 19, does include the same patch.
Apple has officially documented the security update here.