A vulnerability in iOS source code appears to have allowed NSO customers, including Saudi Arabia, Rwanda, and Mexico, to hide malware in images sent via iMessage to take control of phones.

Pegasus can stealthily read encrypted messages stored on the phone, remotely turn on the camera and microphone, and continuously track the phone's location.

The new patch from Apple also addresses a vulnerability affecting Apple Wallet, where people store payment cards, the company said in a brief statement Thursday evening without providing further details as it rolled out the update to billions of phones.

This latest patch, among a handful Apple has issued in recent years, continues what has been described as a cat-and-mouse game between top US tech companies and spyware makers like Israel-based NSO.

While NSO maintains that its products are only used to monitor potential terrorists and fight organized crime, the vulnerability was discovered by the University of Toronto’s Citizen Lab, which said it found it on the phone of an employee of a Washington-based “civil society” organization.

The discovery of the latest vulnerability shows that NSO continues to find rare weaknesses in some of its most complex operating systems, despite US sanctions against the organization.

My Lan (according to FT)