Security researchers have discovered a new zero-click, zero-day exploit targeting iPhone users in 2021 using commercial spyware created by Israeli secret company QuaDream.
Together, Microsoft and Citizen Labs have unveiled a campaign targeting at least five “victims of civil society” around the world, including journalists, opposition officials and NGO workers.
The exploit itself, called “EndofDays,” uses invisible iCloud calendar invitations sent by spyware operators, Citizen Lab said in a lengthy post summarizing its findings.
“With iOS 14, past-dated iCloud calendar invites received by the phone are automatically processed and added to the user’s calendar without any prompt or notification to the user.”
The exploit was deployed between January and November 2021 against iOS versions 14.4 and 14.4.2, and potentially other versions.
For more information on commercial spyware, see NSO Group blacklisted in US for trade in spyware.
The spyware distributed by this exploit is called “KingsPawn” by Microsoft and is linked to QuaDream, a mysterious commercial malware maker.
“Like other similar mercenary spyware, the implant has a range of features, from hot-mic voice recording of calls and the environment, to more advanced capabilities to search phones,” Citizen Lab said.
“We found that the spyware also contains self-destructive features that erase various traces left by the spyware itself. An analysis of the self-destructive features reveals the process names used by the spyware, which can be used by the victim. It was found on the device of
Researchers have identified more than 600 servers linked to QuaDream spyware in late 2021 and early 2023 in Bulgaria, Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, United Arab Emirates ( UAE), and Uzbekistan.
So far, the Israeli company has managed to avoid the negative publicity and US scrutiny that affects other companies in the industry, such as NSO Group and FinFisher. However, the report aims to set the record straight by identifying key figures in the company, many of whom have Israeli military backgrounds.
The news comes just weeks after President Joe Biden issued an executive order seeking to block the US government from purchasing commercial spyware linked to anti-democratic practices. The tech industry coalition has also pledged to curb the impact of cyber-mercenary activity through new initiatives.
