Last week, while checking the device of an individual employed by a Washington DC-based civil society organization with international offices, Citizen Lab found an actively exploited zero-click vulnerability being used to deliver NSO Group’s Pegasus mercenary spyware.

Citizen Lab reports the discovery of the ominous sounding ‘Blastpass’. This is a bug in the operating system of most Apple devices that allows someone to infect your phone with spyware simply by messaging you a special image. The recipient doesn’t have to click on anything.

It reminds me of that time in 2019 where users of WhatsApp on both iOS and Android devices could be infected via receiving a WhatsApp call, even if they didn’t answer it.

Back then, a lawsuit alleged that at least 1400 people were subjected to it:

Over an 11-day span in late April and early May, the suit alleges, NSO targeted about 1,400 mobile phones that belonged to attorneys, journalists, human-rights activists, political dissidents, diplomats, and senior foreign government officials

Similarly to what the above implies, the feeling seems to be that probably for now if you’re not someone being personally targeted by an extremely resourceful adversary then you’re probably OK. But still, best to upgrade to iOS 16.6.1 or put your phone into lockdown mode.