Apple loves to tout how its iPhone is the most secure smartphone on the planet. They recently spoke about how their smartphones are the “most secure consumer mobile device on the market”… right after researchers discovered a zero-click iMessage exploit used to spy on journalists internationally.

Amnesty International published a report the other day that was peer reviewed by Citizen Lab, and the report confirmed that Pegasus — the NSO Group-made spyware — was successfully installed on devices via a zero-day, zero-click iMessage exploit. The researchers discovered the malicious software running on an iPhone 12 Pro Max device running on iOS 14.6, an iPhone SE2 running iOS 14.4, and an iPhone SE2 running iOS 14.0.1. The device running iOS 14.0.1 did not require a zero-day exploit.

Last year, a similar exploit was employed (dubbed KISMET) which was used on iOS 13.x devices, and the researchers at Citizen Lab noted that KISMET is substantially different from techniques employed by Pegasus today in iOS 14. Pegasus has been around for a long time and was first documented in 2016 when it was found to exploit three zero-day vulnerabilities on iPhones, though back then, it was less sophisticated as the victim still had to click the link that was sent.

The Washington Post detailed how the new exploit method worked when it infected the iPhone 11 of Claude Mangin, the French wife of a political activist jailed in Morocco. When her phone was examined, it could not be identified what data was exfiltrated from it, but the potential for abuse was extraordinary nonetheless. The Pegasus software is known to collect emails, call records, social media posts, user passwords, contact lists, pictures, videos, sound recordings, and browsing histories. It can activate cameras and microphones, it can listen to calls and voice mails, and it can even collect location logs.

In Mangin’s case, the attack vector was through a Gmail user going by the name of “Linakeller2203”. Mangin had no knowledge of that username, and her phone had been hacked multiple times with Pegasus between October 2020 and June 2021. Mangin’s phone number was on a list of more than 50,000 phone numbers from more than 50 countries, reviewed by The Washington Post and a number of other news organizations. NSO Group says that it licenses the tool exclusively to government agencies in order to combat terrorism and other serious crimes, though countless journalists, political figures, and high-profile activists have been found to be on the list.

The Washington Post also found that 1,000 phone numbers in India had appeared on the list. 22 smartphones obtained and forensically analyzed in India found that 10 were targeted with Pegasus, seven of them successfully. Eight of 12 devices that the researchers could not determine were compromised were Android smartphones. While iMessage seems to be the most popular way to infect a victim, there are other ways, too.

The security lab at Amnesty International examined 67 smartphones whose numbers were on the list and found forensic evidence of infections or attempts of infections in 37 of them. 34 of those were iPhones, and 23 showed signs of successful infection. 11 showed signs of attempted infection. Only three of 15 Android smartphones examined showed evidence of an attempt, though researchers noted that that could be due to the fact that Android’s logs were not as comprehensive.

On iOS devices, persistence is not maintained, and rebooting is a way to temporarily remove the Pegasus software. On the surface, this seems like a good thing, but it’s also made it harder to detect the software. Bill Marczak of Citizen Lab took to Twitter to explain some more parts in detail, including explaining how the Pegasus spyware is not active until the zero-click attack is fired after a reboot.

Because the 0-clicks they’re using appear to be quite reliable, the lack of traditional “persistence” is a feature, not a drawback of the spyware. It makes the spyware nimbler, and prevents recovery of the “good stuff” (i.e., the spyware and exploits) from forensic analysis

— Bill Marczak (@billmarczak) July 18, 2021

Ivan Krstić, head of Apple Security Engineering and Architecture, gave a statement defending Apple’s efforts.

“Apple unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place. For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market,” he said in a statement. “Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”

Apple introduced a security measure dubbed “BlastDoor” as a part of iOS 14. It’s a sandbox designed to prevent attacks like Pegasus from happening. BlastDoor effectively surrounds iMessage and parses all untrusted data inside it, while preventing it from interacting with the rest of the system. Phone logs viewed by Citizen Lab show that the exploits deployed by NSO Group involved ImageIO, specifically the parsing of JPEG and GIF images. “ImageIO has had more than a dozen high-severity bugs reported against it in 2021”, Bill Marczak explained on Twitter.

This is a developing story, and it’s likely that Apple will push an update fixing the exploits used by Pegasus in apps like iMessage soon. These kinds of events highlight the importance of monthly security updates, and why it’s always important to have the latest ones installed.