Apple has issued a critical security update for iPhones to address a zero-day bug in iOS 16 that could allow attackers to remotely install spyware on a device without any interaction from the iPhone owner. Citizen Lab, a spyware research group, discovered the exploit last week and immediately notified Apple.

The zero-click zero-day exploit had been used to install NGO Group’s Pegasus spyware onto an iPhone owned by an employee of a Washington DC-based civil society organization. Pegasus is spyware developed by a private contractor for use by government agencies. The spyware infects a phone and sends back data, including photos, messages, and audio / video recordings.

Apple has now released iOS 16.6.1 just days after the discovery of this exploit and it’s crucial for iPhone owners to install this update, even if they’re not likely to be targeted with spyware. There are still plenty of groups willing to reverse engineer iOS security updates to try and discover how to exploit this new vulnerability, raising the risk of broader attacks.

Citizen Lab hasn’t provided a full breakdown of the vulnerability for obvious reasons, but the exploit involves PassKit — the framework behind Apple Pay and Wallet — attachments that are loaded with malicious images sent via iMessage. “We expect to publish a more detailed discussion of the exploit chain in the future,” says Citizen Lab.

iOS vulnerabilities have regularly made headlines in recent years, especially ones that have been actively exploited before Apple was aware of the security flaw. Apple has even developed a Rapid Security Response system that can add security fixes to an iPhone without needing to reboot the device.

Crucially, Citizen Lab says Apple’s Lockdown Mode can protect users against this latest exploit, so if you’re at risk of being targeted by state-sponsored spyware then it’s well worth enabling this mode.