Apple patched a software flaw that, until Thursday afternoon, offered a way for hackers to install powerful spyware on iPhones, and turn them into secret tracking devices capable of taking pictures and recording data.
Apple’s (AAPL) move came after researchers reported this week about how unnamed hackers attempted to install the bug on the phone of a human rights activist in the United Arab Emirates.
“We were made aware of this vulnerability and immediately fixed it with iOS 9.3.5. We advise all of our customers to always download the latest version of iOS to protect themselves against potential security exploits,” said an Apple spokesman, adding the patch had been shipped at 1 p.m. ET on Thursday.
The iOS vulnerabilities involved so-called “zero day” exploits and were sold as a mobile espionage product called “Pegasus,” according to Lookout, a San Francisco-based security company. Pegasus was reportedly developed by NSO Group, which specializes in making cyber weapons.
Lookout claims the Pegasus product was so valuable that it sold for price of $8 million for 300 licenses. The company added in a blog post that the license would only be used against high value targets.
Get Data Sheet, Coins2Day’s technology newsletter.
One of those targets was Ahmed Mansoor, the UAE activist. According to watchdog group Citizen Lab, Mansoor received text messages on in his iPhone on August 10 from someone who promised to share new secrets about prisoners being tortured in UAE jails.
The message included a link, but Mansoor elected not to click it and instead reached out to Citizen Lab, which discovered the iOS vulnerabilities along with Lookout.
After deciphering the nature of the vulnerabilities, the two organizations then informed Apple, which proceeded to repair them—resulting in the patch the company sent out on Thursday.
The incident underscores again how iPhone vulnerabilities are highly coveted because Apple devices are considered to be extremely difficult to penetrate. It may also serve to validate Apple’s recent decision to embrace “bug bounties” in which companies offer rewards to anyone who calls their attention to flaws in their software. The Pegasus affair comes after reports last month over iOS vulnerabilities related to password theft and FaceTime.