New iOS security flaw means you should update your iPhone right now

Vulnerability let attackers snoop on email, contacts and calls

Apple released a critical iOS update today to fix an exploit that allowed malware to be installed on an iPhone with a single tap.

A report from Vice reveals the details of the exploit used to target Emirati human rights activist Ahmed Mansoor. Mansoor received a suspicious text that read, "New secrets about torture of Emiratis in state prisons" and included a link.

Instead of clicking on the link, though, Mansoor forwarded the message to Citizen Lab, a Toronto-based digital rights watchdog.

The text, it turns out, was malware that allowed an iPhone to be jailbroken in one tap. The malware, codenamed Pegasus, let an attacker steal and intercept all data on an iPhone. Calls could be intercepted, contacts lists exposed and text messages stolen.

NSO Group marketing materials

Image credit: WikiLeaks | NSO marketing materials that show what info Pegasus is able to capture.

Citizen Lab collaborated with cyber security company Lookout to dissect the malware and discovered its origins. The malware was created and distributed by a company called NSO Group, known for selling its spyware to governments. "[They're] basically a cyber arms dealer," said Lookout Vice President of Research Mike Murray.

NSO told Vice its malware is designed to "help make the world a safer place by providing authorized governments with technology that helps them combat terror and crime." But for journalists and activists living under a corrupt government, this inspires little confidence.

Update your phone now

Today's iOS 9.3.5 update patches the exploits used by NSO. Apple recommends all iPhone users update as soon as possible to avoid being a victim of this type of malware.

It pays to keep your phone's security up to date and to use common sense when receiving dubious links. Although news of Pegasus is alarming, iOS is still one of the most secure mobile operating systems for consumers, according to Dan Guido, CEO of cybersecurity firm Trail Of Bits, speaking to Vice.

iOS 9 3 5 update

Android's security has often lagged as a result of outdated software running on a majority of handsets. Android 6.0 Marshmallow still only makes up 15.2% of all Android handsets as of August 2016, according to Android Police.

Note that Android 6.0 is already one version behind Android 7.0 Nougat, which is only available on select Nexus phones right now.

While Pegasus may be patched today, it's a constant race between companies such as NSO and the likes of Apple, Google and Microsoft. It's up to software makers to stay one step ahead, and users to stay vigilant.