Apple has released a critical software patch to fix a major security vulnerability, after researchers found spyware could exploit it to hack directly into iPhones and other Apple devices without so much as a click from the user. Researchers at the University of Toronto’s Citizen Lab said they found malicious image files being transmitted to the phone of a Saudi activist, who wished to remain anonymous, via the iMessage instant-messaging app. The device was then hacked by the Pegasus spyware developed by Israel’s NSO Group, they alleged. Calling the iMessage exploit Forcedentry, Citizen Lab said that the security vulnerability makes the phones susceptible to eavesdropping and remote data theft, and that it applied to all Apple devices. Forensics revealed that the activist’s phone had been infected back in March, adding that the malicious files caused the phone to crash.