Apple is warning users to update their devices as soon as possible after it fixed a major spyware flaw.
The company has released emergency software updates in iOS 14.8 after learning of a vulnerability that let hackers break into Apple devices without users even clicking a link, the New York Times reports .
“Apple is aware of a report that this issue may have been actively exploited,” the company said on its website Monday.
The Canadian academic research group Citizen Lab published a report Monday saying it had uncovered a zero-day, zero-click exploit affecting iPhones, Macs, and Apple Watches. The lab says the flaw allowed Israeli spyware company NSO Group to remotely infect Apple devices. Because users don’t even have to click a link for the spyware to start working, they won’t even know their devices have been infected.
Known as Pegasus, the spyware can record texts, emails, and phone calls, and share them with NSO Group’s government clients worldwide, the Times reports. It can also turn on devices’ cameras and microphones.
“This spyware can do everything an iPhone user can do on their device and more,” Citizen Lab researcher John Scott-Railton told the Times.
Citizen Lab said it discovered the exploit, which it calls Forced Entry, in March while examining the phone of a Saudi activist who had been hacked with the spyware. The lab believes Forced Entry has been at work since at least February.
NSO Group was also found to be using zero-click attacks earlier this year. In July, Amnesty International found that military-grade spyware from NSO Group was used to hack the iPhones of dozens of journalists, activists, and executives .
Apple did not immediately respond to requests for comment.
A spokesperson for NSO Group emailed the following statement: NSO Group will continue to provide intelligence and law enforcement agencies around the world with life saving technologies to fight terror and crime.”
