Cybersecurity experts at the Citizen Lab, a research centre at the University of Toronto, have discovered a security flaw in the iOS software that allowed the Pegasus spyware to be installed without even a click.
They notified Apple who quickly developed a software update for users to download. Apple has urged its users to update all their Apple devices to avoid the chance of getting the spyware.
"Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals," the company said.
Citizen Lab said it was urging people "to immediately update all Apple devices.
Explosive revelations that governments have spied on people using the hugely invasive software -- which was developed by the NSO Group, a secretive Israeli firm -- have ricocheted around the world since July.
Once Pegasus is installed on a phone, it can be used to read a target's messages, look at their photos, track their movements and even switch on their camera -- all without the person knowing.
The flaw fixed by Apple on Monday is a so-called "zero-click exploit", meaning that it can be installed on a device without the owner needing to do so much as click a button.
Less sophisticated spyware tools have generally required the target to click on a booby-trapped link or file in order to start tapping the person's communications.
Citizen Lab said it believed the flaw, which it named FORCEDENTRY, had been used to install Pegasus on devices since February 2021 or possibly earlier.
It is a variant of a weak spot in Apple's messaging software that Citizen Lab previously detected on the iPhones of nine Bahraini activists, who were hacked with Pegasus between June 2020 and February this year.
"Popular chat apps are the soft underbelly of device security. They are on every device," tweeted John Scott-Railton, a senior researcher at Citizen Lab who helped uncover the flaw.
The messaging service WhatsApp was previously also allegedly used to infiltrate phones using Pegasus, and its owner Facebook is suing the NSO Group.
The security of messaging apps "needs to be a top priority," Scott-Railton added, urging his followers: "UPDATE YOUR APPLE DEVICES NOW."