The story of how the researchers uncovered the spyware and the evidence of its use is worthy of a spy novel itself.

Marczak and a colleague, John Scott-Railton, began tracking the spyware, which they call the Trident exploit, after a human rights defender in the United Arab Emirates alerted researchers to suspicious text messages.

The rights activist, Ahmed Mansoor, received a text message on his iPhone on the morning of Aug. 10. It said in Arabic: “New secrets about torture of Emiratis in state prisons,” and contained a hyperlink to an unknown site. A similar text message arrived the next day.

Mansoor was wary. He’d already been targeted by other attempts. In all cases, the text messages were bait to get him to click on a link, which would have led to the infection of his Apple iPhone 6 and the control of the device through spying software created by NSO Group, a shadowy Israeli surveillance company, Marczak said.

Marczak and his colleague infected a test iPhone of their own and “watched as unknown software was remotely implanted on our phone,” the two said in a report. They then contacted Lookout to help in reverse-engineering the spyware.

They quickly learned that the infection would have turned Mansoor’s iPhone into a pocket undercover spy “capable of employing his iPhone’s camera and microphone to eavesdrop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps and tracking his movements.” Viber is another common communications program.

NSO Group, based in Herzliya, on the northern outskirts of Tel Aviv, was founded in 2010 and describes itself as a leader in “cyber warfare” and a vendor of surveillance software to governments around the world. It maintains no website and keeps a low profile.

The Citizen Lab report said NSO Group had been sold to a San Francisco private equity group, Francisco Partners Management LLC, in 2014. A call of inquiry to that group led an NSO Group spokesman, Zamir Dahbash, to call McClatchy.

He offered a statement that said the company’s mission was “to help make the world a safer place” and that it sold only to authorized government agencies to help them “combat terror and crime.” NSO Group does not operate any of its systems, he said, only selling the software.

“The agreements signed with the company’s customers require that the company’s products only be used in a lawful manner. Specifically, the products may only be used for the prevention and investigation of crimes,” Dahbash said.

He would answer no further questions and would not confirm that the company had contracts with any agencies of the UAE government or with the government of Mexico, where another case emerged of efforts to infect iPhones with NSO spyware.

As the researchers traced the activities of their own infected iPhone, it led to an infrastructure of some 200 websites and servers used by NSO Group. The team then punched in the internet addresses to Google and Twitter “to see if anybody was sharing links to them,” Marczak said.

That’s when they came across a tweet by Rafael Cabrera, a Mexican editor who works for Aristegui Online, a muckraking portal that has repeatedly broken stories on alleged influence trafficking by President Enrique Peña Nieto and his wife. Cabrera noted in the tweet that he’d gotten a “weird” text message that seemed to bait him to click on a suspicious link.

“We realized, oh my gosh, this guy received links which were connected to these websites that we connected to NSO Group,” Marczak said.

Cabrera, trapped in a traffic jam in Mexico City, said in a brief cellular phone interview that three members of Aristegui Online had been targeted with the text messages. In addition to himself, the portal’s lead investigator, Daniel Lizarraga, and another prominent journalist, Salvador Camarena, received texts.

All were on the team that in November 2014 revealed that Peña Nieto’s wife had received a $7 million mansion from one of the government’s biggest contractors. The team also took part, along with McClatchy and scores of other media outlets around the world, in the probe of the Panama Papers, the trove of documents from a Panamanian law firm that opened a window earlier this year on the murky world of offshore shell companies.

Among the revelations from the documents was that the contractor who had built the mansion for the Mexican first lady had also sought to create a string of offshore trusts and companies to hide more than $100 million.

Cabrera said he could not pin blame on who might have wanted to spy on his iPhone.

“I can’t say if it was an individual or if it was the government,” Cabrera said.

The type of spyware sold by NSO Group routinely costs at least $1 million, according to a report by Lookout, making it a tool available mainly to governments.

Apple Inc. was notified by Citizen Lab and Lookout on Aug. 15 of the vulnerability in the iPhones and iPads, and it said the security update provided Thursday blocked the use of Trident spyware.

“We advise all of our customers to always download the latest version of iOS to protect themselves against potential security exploits,” Apple spokesman Fred Sainz said in an email.

But Marczak said Apple devices, like all others, faced an increasing onslaught from malware. “Nothing is hack-proof, really,” he said. “There’s always ways into these devices.”

See also

How to update your iPhone: Apple's patch targets previously unknown spyware that infiltrated iPhones and can read messages, track calls and contacts, record sounds, collect passwords and location information, investigators told the Times.