Your iPhone Is Super Vulnerable To Being Hacked So Update It Right This Second

Isaac Lawrence / AFP / Getty Images

SAN FRANCISCO — Apple rushed out a new security update for iPhones Thursday after it was revealed that an Israeli company had been selling and exploiting security vulnerabilities to Apple products.

The Israeli NSO Group, a company so secretive it has repeatedly changed its name to avoid notice, was selling software to state governments that was then used to infiltrate iPhones, gaining access to text messages, emails, contacts and call, according to a new report released Thursday by researchers at Citizen Lab, an interdisciplinary group at the University of Toronto, and Lookout, a San Francisco mobile security company.

The vulnerabilities, known as “zero days” because they were previously unknown to Apple, grant total access to an iPhone through a spear-phishing text message. Those text messages were designed to mimic the types of message a user might receive from a legitimate site, said the report. Among those impersonated to get users to click on the links: the Red Cross, Facebook, Google and even the Pokemon Company. Once clicked, the message downloaded malware which gave the attackers total access to the phone.

Lookout’s vice president of research Mike Murray told Motherboard that NSO was “basically a cyber arms dealer,” and that the type of malware used by NSO had never been seen before.

“We realized that we were looking at something that no one had ever seen in the wild before. Literally a click on a link to jailbreak an iPhone in one step,” Murray told Motherboard. “One of the most sophisticated pieces of cyber espionage software we’ve ever seen.”

An NSO Group spokesman did not answer a request for comment by BuzzFeed News. An NSO Group spokesman said in an email to the New York Times that, “The company sells only to authorized governmental agencies, and fully complies with strict export control laws and regulations.”

The malware used by NSO was discovered when Ahmed Mansoor, a 46-year-old human rights activist from the United Arab Emirates, noticed a strange text message on the morning of August 10. Mansoor, who had previously been a victim of government cyber espionage with tools purchased for FinFisher and Hacking Team — companies that compete with NSO — was suspicious of the message and forwarded it to Citizen Lab.

The report found that other NSO targets included activists and journalists in Yemen, Turkey, Mozambique, Mexico, Kenya, and the UAE.

Zero days are often sold to private companies and governments eager to break into devices in back-room deals that can net millions of dollars. Flaws in Apple’s iOS system are rare; in one public sale last year, the cybersecurity company Zerodium bought a zero-day exploit for an iPhone for $1 million. BuzzFeed News has reached out to Apple for comment.