STOP WHAT YOU'RE DOING and update your iPhone, is the latest advice from Apple after the company was alerted to a "sophisticated" spyware threat affecting iOS.
iOS 9.3.5 was pushed out on Thursday after security company Lookout and watchdog Citizen Lab informed Apple about a spyware threat that takes advantage of three previously unknown vulnerabilities in the iOS code.
- CVE-2016-4655 - an input validation flaw that could allow iOS kernel memory contents to be viewed by an installed app
- CVE-2016-4656 - a remote code execution from memory corruption flaw in the iOS kernel that can be exploited by an installed app
- CVE-2016-4657 - a remote code execution flaw in WebKit that could allow an attacker to jailbreak and install malware on an iOS device by way of a specially crafted web page.
Lookout collectively calls the three zero-day vulnerabilities Trident, and warned that they could allow personal data to be accessed after opening a link sent in a text message.
"It infects a user's phone invisibly and silently, such that victims do not know they’ve been compromised," the firm said.
The discovery was made after human rights lawyer Ahmed Mansoor alerted security researchers to unsolicited text messages he had received on his iPhone.
Following the link would have jailbroken his phone and infected it with malware capable of logging encrypted messages, activating the microphone and tracking the handset's movements.
"Pegasus is professionally developed and highly advanced in its use of zero-day vulnerabilities, code obfuscation and encryption," the researchers wrote.
"It uses sophisticated function-hooking to subvert OS- and application-layer security in voice/audio calls and apps including Gmail, Facebook, WhatsApp, FaceTime, Viber, WeChat, Telegram, Apple’s built-in messaging and email apps, and others.
"It steals the victim’s contact list and GPS location, as well as personal, WiFi and router passwords stored on the device."
Apple is said to have fixed the faults 10 days after Lookout sounded the alarm.
"We were made aware of this vulnerability and immediately fixed it with iOS 9.3.5. We advise all our customers to always download the latest version of iOS to protect themselves against potential security exploits," the firm said in a statement.
Apple has also confirmed that the bugs were fixed in the latest versions of the iOS 10 public and developer betas pushed out last week. µ
Upcoming flagships might not switch to USB-C after all
Netflix without the chill
The best things come in the same sized package as last time
'Open source' and 'Microsoft' in same sentence shock