The message is the message: Apple just sent an emergency patch to all devices after a security flaw that enabled NSO Group's malicious Pegasus spyware to infect Apple devices was discovered, according to the company's official support page.
This hidden exploit in iMessage could affect iPhones, iPads, Apple Watches, and Mac computers. So, you need to stop what you're doing and update your Apple device, right now.
Citizen Lab discovered the Apple exploit in a Saudi activist's phone
Statistically, you're probably not the one the hackers want to exploit. But that's no excuse to leave yourself (and your device) with a major vulnerability. Luckily, the fix is easy. First, see if your device is running iOS 14.8, iPad OS 14.8, macOS Big Sur 11.6, watchOS 7.6.2, or security update 2021-005 for macOS Catalina, depending on which device(s) you own. Apple says iPad OS or iOS devices with compatibility for the update include "iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)." If you're wondering where this is coming from, the answer lies in Canada.
Researchers at the University of Toronto's Citizen Lab shared an urgent report explaining the exploit earlier on Monday. Apple dubbed the update CVE-2021-30860, and it cites Citizen Lab as the entity that discovered the critical exploit. Citizen Lab researchers reported that they uncovered the flaw while examining a Pegasus-infected phone that belonged to a Saudi activist. During the investigation, they saw that NSO Group had probably exploited what's called a "zero-click" vulnerability in iMessage that opens a door for Pegasus to upload onto your device. Typically, low-level malware doesn't require input from the user, which means NSO only needed to break into your iPhone to send a hidden, malware-stuffed iMessage without a notification, explained the researchers in their report.
Encrypted apps aren't protected from the new Apple exploit
Earlier Citizen Lab reports have also detected zero-click attacks from NSO on other devices, and, often, devices infected with the exploit "may not notice anything suspicious", which means it's up to the researchers, Apple, and every user to spread the word whenever one is encountered. Because, worryingly, a hacker who's exploited your phone can do "everything an iPhone user can do on their device and more" post-infection, according to a New York Times report. This means tracking calls, sent emails or texts, and even activating your device's camera without any sign that it's switched on. And in case you're taking solace in encrypted apps like Telegram or Signal, these are fully accessible via your device, which means after infection NSO can also peruse, copy, and share all of your encrypted data to whomever they want, according to the NYTimes.
This time, as was the case with previous similar exploits, Apple's hardware team took swift action to confront zero-click vulnerabilities. In February of this year, the company surreptitiously altered the code behind iOS, to substantially increase the difficulty NSO would have the next time they attempt such a sweeping yet subtle attack.
This was a breaking story and was regularly updated as new information became available.