A human rights activist from the United Arab Emirates recently stumbled upon three gaping security loopholes in iOS that work by enticing you to tap a link sent to your iPhone. Ahmed Mansoor received a text message from an unknown number roughly two weeks ago, but instead of following the link it included, he sent the message over to a security researcher at Citizen Lab.
After investigating the link contained in the message, the researcher found that it was using three different zero-day attacks to gain complete control over the victim's iPhone. These attacks were previously unknown to security personnel around the world, and they would essentially jailbreak the device, then install deep-level spyware without the user knowing anything had happened.
Once they got a chance to look into the hack a bit further, Citizen Lab and mobile security company Lookout determined that the attack was created by an Israeli surveillance company named NSO Group, who is known to work with government intelligence agencies.
However, by the time media outlets even got wind of this issue, Apple had already created a security fix to go along with the iOS 9.3.5 update, effectively closing this loophole for good. The update began rolling out Thursday, so to make sure you're not vulnerable, head to Settings -> General -> Software Update, then update your iPhone to apply the fixes.
The fact that Apple worked closely with both security firms involved here means that they had a chance to keep this major vulnerability under wraps with an NDA, so that would explain why we didn't hear anything about it until after a fix had already been issued. Plus, publicly outing such a huge exploit has the potential to do some serious damage when no fix is available, so Citizen Lab and Lookout were on morally sound ground when they didn't report this loophole right off the bat.
But the hack itself was only discovered a mere two weeks before the iOS 9.3.5 update was issued, so Apple worked incredibly fast to ensure that their devices couldn't be vulnerable anymore.
Android, on the other hand, is maintained by Google, who has similar clout when it comes to keeping things under wraps. Yet millions of Android devices are currently vulnerable to the QuadRooter hack that was first reported at roughly the same time this iOS hack was discovered, and presumably known to Google before the public got wind of it.
Most of the delays with Android security fixes can be blamed on manufacturers or cell carriers, as both entities slow down the update process by adding their own customizations to Android. But Google's own Nexus devices don't have to deal with these slowdowns, yet because of Google's staged rollout system, the vast majority of Nexus devices still haven't been updated to Android Nougat, which contains fixes for the QuadRooter bug.
So it's likely that even the most promptly-updated Android devices will have to wait more than a month before receiving this security fix, which may not sound that bad. But when you consider that Apple had a similar security loophole closed within two weeks, monthly security updates simply aren't fast enough.