Researchers at Citizen Lab have discovered a zero-click, zero-day vulnerability for iPhones that would allow an attacker to remotely install custom spyware without any interaction from the victim. It is possible that the flaw was fixed by Apple in iOS 13.2 even before the vulnerability was discovered and reported.
Zero-click refers to the lack of any victim interaction being needed to infect a device. Zero-day refers to a vulnerability that a vendor or developer have had zero days to patch as it was only just made known to them. Together, these two components make for a very frightening combination as there is no action a regular user can take to protect themselves from the abuse of this vulnerability, other than turn their phone off until a patch is released at a later date, or hope they are not targeted.
Citizen Lab states that this vulnerability was used by the NSO Group during the final months of 2019 as a vector for infection for the purpose of installing NSO Groups Pegasus mercenary spyware suite that they offer as a product/service. Although there is no conclusive evidence, Citizen Lab has observed strong circumstantial evidence indicating that the Pegasus spyware in this instance was being deployed by operators within the Spanish government against confirmed victims that include Catalan politicians, journalists, and activists.
Although this vulnerability is a zero-day, it is possible that this vulnerability only affects iOS versions prior to version 13.2. Citizen Lab did not observe any instances of this vulnerability being exploited in versions greater than 13.2. Apple has been alerted of this vulnerability, and there is no evidence to suggest that iOS devices that are up to date are at risk.
Therefore, it is highly recommended that users of iOS devices ensure that they have the latest update installed.