Why It’s Important to Install the iOS 9.3.5 Update Right Away

Apple was quick to update iOS to patch malware that enables hackers install spyware on its devices and steal user data. Here’s why users should update to iOS 9.3.5 immediately.

The story of this critical flaw starts with Ahmed Mansoor, a human rights activist from the United Arab Emirates who was reportedly sent a link in a text message “about torture of Emiratis in state prisons.” Had he clicked the link, the spyware would have been installed and his data stolen. Instead, he sent it off to security researcher Citizen Lab, which, along with security firm Lookout, investigated the issue and brought it to Apple’s attention.

In a blog post outlining their findings, security researchers at Lookout and Citizen Lab called the spyware software Pegasus and noted it’s capable of exploring three zero-day vulnerabilities that it named the “Trident.” According to the companies, the Trident can help hackers find the iOS kernel’s location in memory, jailbreak the device at the kernel level and install its payload. The malware attacks devices by tricking users to click on a link that opens in the Safari browser.

According to the security researchers, the payload delivers a typical phishing-like “attack sequence.” First, a user is sent a text message with a link. If the user clicks the link, Safari is opened, a page is loaded, the iOS security flaws are exploited and the spyware is installed.

The scope to which the spyware can capture data is staggering. According to the researchers, the spyware can access messages, calls and emails. It also can target third-party applications such as Gmail, Facebook, Skype and WhatsApp to steal all of the user data the apps contain. Worst of all, it was designed to live on after the initial data theft and survive Apple’s annual updates. However, the special iOS 9.3.5 update fixes the flaws the Pegasus malware exploited.

The trouble with the hack is that victims have no idea they’ve been compromised. In fact, the best exploits bring those users to pages that appear to be legitimate. However, an instant after the Pegasus malware is downloaded onto vulnerable devices, it can transfer data to the attackers without the device users ever knowing the difference.

According to most reports, Apple moved swiftly to address the issue. The company released iOS 9.3.5 on Thursday, Aug. 25, which means it took Apple about 10 days to fix the problem after being notified about it and make it so the malware no longer could access user content. That’s awfully fast, but it’s unclear how many iOS users have downloaded the patch so far.

Interestingly, it’s not believed that Pegasus is a tool created by government hackers or individuals looking to scam users. Instead, Citizen Lab said it believes an Israel-based organization named NSO Group, which was acquired by U.S. company Francisco Partners Management in 2010, actually developed the spyware. Since then, the company has been selling the software to governments to help them hack other governments and individuals of interest, according to the report.

Considering the software was developed several years ago and it can live on through software updates, it’s believed to have been living in the iOS ecosystem for years. In fact, Lookout believes that hackers have been using the tool since iOS 7 with great effect.

Apple hasn’t been too willing to chat about the security issues in iOS that allowed Pegasus to work so stealthily. However, Apple has encouraged users to install the update. Users can access the iOS 9.3.5 update by going to Settings, choosing “general” and then “software update.” This will enable them to download and install the update.

The Pegasus malware should once and for all dispel the myth that iOS is not very vulnerable to critical security flaws and malware exploits. It also should dispel the myth that Android is somehow more vulnerable to security flaws than iOS. Granted, Android’s reliance on carriers and device makers to push out updates remains a serious issue, but iOS is far from bullet-proof.