Details have emerged about Israeli spyware vendor QuaDream and its iOS malware, as Microsoft and Citizen Lab have published their findings revealing QuaDream's activities, information about the malware and it's victims. The Reign platform developed by QuaDream includes malware, exploits, and infrastructure that can be used to steal data from compromised Android and iOS mobile devices.
The company has been making an effort to keep a low profile, but its activities came to light last year when Meta reported taking down 250 accounts associated with the firm, which the social media giant said was founded by former NSO employees.
The report revealed that the ‘KingsPawn iOS malware’ can record audio from calls or the device’s microphone, take pictures using the camera, exfiltrate and remove keychain items, generate iCloud 2FA passwords, track location, search files and databases on the device, and clean up its tracks.
The spyware vendor has been involved in a legal dispute with an Israeli firm over its alleged refusal to transfer part of its revenue, providing some insight into its business practices. Citizen Lab has identified five unnamed victims located in North America, Europe, the Middle East, and Central and Southeast Asia, including politicians, journalists, and one NGO worker.
Citizen Lab stated “We cannot determine if the systems operated from Israel are operated by the Israeli government or QuaDream itself. Nevertheless, the Israeli government is also suspected to have abused mercenary spyware to target Palestinian HRDs, as well as domestic political activists.”
Microsoft Analysis of the KingsPawn iOS Malware
Microsoft has analyzed a version of the malware that targeted iPhones running iOS 14. Some of the code may have been used for Android exploits at the time of the attacks. At that time, this was the latest version of the operating system.
In 2021, Apple was informed about security exploits in its iOS operating system and reportedly notified targeted individuals at the time. Reuters reported that QuaDream leveraged the same iOS vulnerabilities that NSO Group used for its ForcedEntry exploit.
The exploits designed for iOS 14 no longer work on newer versions of the mobile operating system, but Microsoft believes that the threat actor has likely updated its malware to be able to hack newer iPhones as well. Apple patches zero-day flaws exploited by commercial spyware vendors on a regular basis.
The malware likely used a zero-click exploit called EndOfDays, which uses invisible iCloud calendar invitations sent by the attacker to deliver malicious code.
