Apple on Thursday pushed an emergency iOS security update β version 18.4.1 β to patch a zero-day vulnerability that security researchers say was being actively exploited to install DarkSword spyware on iPhones via malicious iMessage attachments.
The vulnerability, tracked as CVE-2026-0932, resides in the Image I/O framework and allowed attackers to execute arbitrary code without any user interaction. Citizen Lab and Amnesty International's Security Lab jointly identified the spyware, which they said was being used to target journalists, lawyers, and political opposition figures in at least seven countries.
Apple declined to comment on the identity of the spyware vendor but confirmed that 'a small number of users' had been affected. The company credited Citizen Lab with the discovery.
Commercial spyware industry under fire
DarkSword bears similarities to Pegasus, the spyware developed by NSO Group, but researchers said it appears to be from a different, possibly Eastern European, vendor. 'This is further evidence that the commercial spyware market is expanding, not contracting,' said John Scott-Railton of Citizen Lab.
The Biden administration added two spyware companies to the Commerce Department's entity list in February, restricting their access to U.S. technology. However, researchers say new vendors emerge regularly.
This is further evidence that the commercial spyware market is expanding, not contracting. Apple cannot patch its way out of this problem β governments must regulate the industry.
Apple has urged all users to install the update immediately. The company also announced that it will add a new 'Lockdown Mode' enhancement in iOS 19, scheduled for September, that will block all iMessage attachment types except images.
