Apple on September 13 released an emergency update to fix a flaw that allowed spyware at the heart of the Pegasus scandal to infect iPhone and other iOS devices without users even clicking on a malicious message or link.
Hours after releasing the fix, Apple said it had "rapidly" developed the update following Citizen Lab's discovery of the problem.
"Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals," the company said.
NSO did not dispute Pegasus had prompted the urgent software upgrade, and said in a statement that it would "continue to provide intelligence and law enforcement agencies around the world with life saving technologies to fight terror and crime."
Pegasus can be deployed as a "zero-click exploit," meaning that the spyware can install itself without the victim even clicking a booby-trapped link or file, according to Lookout senior manager Hank Schless.
"Many apps will automatically create a preview or cache of links in order to improve the user experience," Schless said.
"Pegasus takes advantage of this functionality to silently infect the device."
An international media investigation reported in July that several governments used the Pegasus malware, created by NSO Group, to spy on activists, journalists and politicians.
Pegasus can switch on a phone's camera or microphone and harvest its data.
Users should get alerts on their iPhones prompting them to update the phone's iOS software. Those who want to jump the gun can go into the phone settings, click General then Software Update, and trigger the patch update directly.
Citizen Lab called the iMessage exploit "FORCEDENTRY" and said it was effective against Apple iOS, MacOS and WatchOS devices. It urged people to immediately install security updates.
In July, a global media consortium published a report on how clients of NSO Group have been spying for years on journalists, human rights activists, political dissidents and people close to them, with the hacker-for-hire group directly involved in the targeting.
Researchers at Citizen Lab, a cybersecurity watchdog organization in Canada, found the problem while analyzing a Saudi activist's phone that had been compromised with the code.
"We determined that the mercenary spyware company NSO Group used the vulnerability to remotely exploit and infect the latest Apple devices with the Pegasus spyware," Citizen Lab wrote in a post.
In March Citizen Lab examined the activist's phone and determined it was hacked with Pegasus spyware introduced via iMessage texting and that it didn't even require the phone's user to so much as click.(With inputs from agencies)