An Apple security exploit made it possible for Apple devices to be infected with spyware without any user action, but a patch is out now.
This “zero-click” exploit was found by Citizen Lab researchers at the University of Toronto on September 7. Apple was informed of the exploit right away and has since issued a patch to address the problem. While the exploit was likely being used for specific targets like activists and reporters, it’s recommended that everyone install the new patch if they’re able.
Without the security update, hackers can infect a given Apple device (computer, phone, tablet, or even watch) just by sending an image. You wouldn’t even have to open or otherwise interact with the image file for it to affect your device—simply receiving it is enough. If your device can use iMessage, it’s at risk until you update.
Citizen Lab believes NSO Group used the exploit to infect an activist’s phone with its Pegasus spyware back in March. Some journalists from Al Jazeera also likely were targets of this exploit.
According to NPR, while Apple is taking this issue seriously, it has reiterated that the average user likely won’t become a target.
If you have an iPhone, it should alert you about the new patch on its own and prompt the download. Or, you can start a manual software update instead.
If you have an iPad, Apple Watch, or Apple computer, you also should look for and install the latest system versions. Just to be safe.