We don't normally cover minor releases of iOS, but we're making an exception today as a sort of public service announcement. Apple has released an urgent update for iOS, version 9.3.5, that contains fixes for three zero-day vulnerabilities. The issues comprise two kernel-level exploits and a WebKit vulnerability, and have been confirmed to be under active attack.
The security issues were collectively found by researchers from Citizen Lab (University of Toronto) and the Lookout security company. Apple's security team worked in tandem with the researchers and was "very responsive," releasing a combined fix for all three issues at once—CVE-2016-4655, CVE-2016-4656, and CVE-2016-4657. We recommend that owners of iPhones, iPads, and even iPod Touches run a system update immediately.
Researchers took to calling the set of vulnerabilities "Trident." According to Lookout, Trident is used by a spyware product called "Pegasus," which the researchers say comprises "the most sophisticated attack [they've] ever seen on any endpoint." Although an attack begins with ye olde phishing text message or e-mail, the vulnerabilities allow the criminals complete access to the victims' phone and data without him being any the wiser. The researchers also believe that the exploits have been in the wild for quite a while—possibly ever since the release of iOS 7 back in September 2013.
Citizen Labs says that Pegasus was developed by an organization called NSO Group that reportedly specializes in "cyber war" and was acquired by Francisco Partners Management in 2010. The Trident vulnerabilities were apparently used to target Ahmed Mansoor, a human rights activist. Lookout also claims the Pegasus software package is used for "high-level corporate espionage" across iOS, Android, and Blackberry devices.