Earlier today, Apple released iOS 9.3.5 to fix "important security issues," as the company described them. Reports from Citizen Lab and Lookout released after Apple's announcement show that these "important security issues" were three iOS zero-days used to spy on political dissidents across the world.

According to the two organizations, the zero-days were part of a software suite called Pegasus, developed and sold by Israeli company NSO Group to governments around the world, which deployed it against targets of interest.

Pegasus, described as surveillance software developed for law enforcement agencies, is nothing different from spyware developed and sold on underground hacking forums.

Governments, security vendors, and news agencies knew of Pegasus and NSO's existence for many years, but the company has always been outshined by its more powerful competitors, Gamma Group, which sells FinFisher, and HackingTeam which sells the RCS surveillance package.

Apple patched zero-days that enabled Pegasus spying features

Apple released a fix today to address Pegasus features that allowed it to spy on iOS users without them ever being aware.

These features were powered by three zero-days that allowed a remote attacker to compromise iOS devices by fooling a victim into accessing a malicious website.

Once the zero-day exploit code was executed, the attacker would use the Pegasus software to control the victim's iPhone or iPad. According to Lookout, the attackers had full control over the device, and could exfiltrate data, listen on conversations via the microphone, detect the user's GPS position, follow IM conversations, and many more others.

Zero-Day Description Exploit Capability CVE-2016-4655 Information leak in Kernel – A kernel base mapping vulnerability that leaks information to the attacker allowing him to calculate the kernel’s location in memory. An application may be able to disclose kernel memory CVE-2016-4657 Kernel Memory corruption leads to Jailbreak – 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to silently jailbreak the device and install surveillance software. An application may be able to execute arbitrary code with kernel privileges CVE-2016-4658 Memory Corruption in Webkit – A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link. Visiting a maliciously crafted website may lead to arbitrary code execution

"Pegasus is the most sophisticated attack we’ve seen on any endpoint because it takes advantage of how integrated mobile devices are in our lives and the combination of features only available on mobile," the Lookout team explained.

A further, in-depth analysis of Pegasus also revealed traces of a kernel mapping table that has values that target previous iOS version, way back to iOS 7, meaning the spyware was used for years without being detected until this past month.

Meet Ahmed Mansoor, the most spied on activist in the world

One of the people targeted with Pegasus, and the one that detected something wrong and led to the discovery of the three zero-days, was Ahmed Mansoor, a human rights activist from the United Arab Emirates (UAE).

Coincidentally, Mansoor was also targeted in the past with both FinFinsher and RCS spyware. As such, he was able to quickly recognize a phishing lure he received via SMS, which promised new details about torture practices in the UAE.

Mansoor forwarded the SMS messages to Citizen Lab, an investigative interdisciplinary laboratory at the Munk School of Global Affairs at the University of Toronto, Canada, specialized in political cyber-espionage.

Pegasus software also sold to Mexico and Kenya

Recognizing the sophisticated campaign behind this SMS message, Citizen Lab brought in Lookout to investigate the technical side of the attack. Lookout discovered the three zero-days, while Citizen Lab connected the zero-days to the Pegasus software and the NSO Group, an Israeli company bought by US firm Francisco Partners in 2014.

Citizen Lab tracked down the Pegasus software and discovered export licenses for various governments. The organization tied NSO's Pegasus suite used against a Mexican journalist who uncovered corruption by Mexico's President, and a few attacks against unknown targets in Kenya.

"While these spyware tools are developed in democracies, they continue to be sold to countries with notorious records of abusive targeting of human rights defenders," the Citizen Lab team explains. "Such sales occur despite the existence of applicable export controls."

Lookout provides a technical look at the three iOS zero-days fixed in iOS 9.3.5 in its report, while Citizen Lab's report focused on the morals and political background behind these recent attacks.