Apple has released an emergency software update after a security vulnerability was found that allows hackers to directly infect an iPhone, Mac computer or Apple Watch without the user having to click on anything.
The security issue was exploited to plant spyware on the iPhone of an anonymous Saudi activist, researchers at the University of Toronto's Citizen Lab said.
They said they had high confidence that the world's most infamous hacker-for-hire firm, Israel's NSO Group, was behind the attack, although the attack was "not necessarily" being attributed to the Saudi government.
Internet security watchdog Citizen Lab said the previously unknown vulnerability affected all major Apple devices - iPhones, Macs and Apple Watches.
NSO Group responded with a one-sentence statement saying it will continue providing tools for fighting "terror and crime."
It was the first time a so-called "zero-click" exploit - one that allows hackers to access a phone without requiring the user to click on suspicious links or open infected files - has been caught and analysed, researchers said.
Citizen Lab found the malicious code on September 7 and immediately alerted Apple, but analysis of the phone showed it had been infected in March.
In a blog post, Apple said it was issuing a security update for iOS 14.8 and iPadOS 14.8, because of a "maliciously crafted" PDF file and the flaw "may have been actively exploited".
How do I update my iPhone to fix the security flaw?
Apple users with the affected software should get alerts prompting them to update the phone's iOS software.
But you can also update the software by going into phone settings, click "General" then "Software Update" and trigger the software patch update directly.
Citizen Lab called the iMessage exploit FORCEDENTRY and said it was effective against Apple iOS, MacOS and WatchOS devices. It urged people to immediately install security updates.
The update is for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later and iPod touch (7th generation).
"After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users," said Ivan Krstić, head of Apple Security Engineering and Architecture, in a statement.
"Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals.
"While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data."
Security experts have said average iPhone, iPad and Mac users do not need to worry, as these attacks are limited to specific targets, but the discovery still alarmed security professionals.
Malicious image files were put on the Saudi activist's phone via the iMessage app, before it was hacked with NSO's Pegasus spyware, which opens a phone to eavesdropping and remote data theft, Citizen Lab researcher Bill Marczak said.
Citizen Lab previously found evidence of zero-click exploits being used to hack into the phones of al-Jazeera journalists and other targets, but has not previously seen the malicious code itself.
The internet security watchdog said the case reveals, once again, that NSO Group is allowing its spyware to be used against ordinary people.
In a statement to Reuters, NSO did not confirm or deny that it was behind the technique, saying only that it would "continue to provide intelligence and law enforcement agencies around the world with life-saving technologies to fight terror and crime."