Echoing NSO Group's Pegasus debacle, another spyware tool that could attack the iPhone was sold to governments, and has only now been discovered.
Spying software is often used by security agencies and governments to monitor individuals of interest. This was most famously demonstrated by the discovery of Pegasus, spyware by NSO Group that was sold and used to spy on political opponents, activists, and journalists.
While the Pegasus discussion has died down, it seems that NSO Group wasn't the only organization selling tools capable of surveilling an iPhone to interested parties.
A report from Citizen Lab based on analysis of samples shared by Microsoft Threat Intelligence revealed the existence of a spying tool that was very similar to Pegasus in many ways. Known as "Reign," the spyware by the Israeli company QuaDream offers ways for governments to, again, keep tabs on their potential opposition.
Much like Pegasus, Reign has been sold to governments including Singapore, Saudi Arabia, Mexico, and Ghana. It was pitched to others including Indonesia and Morocco.
The tool has also been used in at least five cases. To date it has been used against political opposition figures, journalists, and others in North America, Central Asia, Southeast Asia, Europe, and the Middle East.
Zero-click and devastating
Binaries scanned by the team reveal the spyware was deployed to target devices by using a suspected iOS 14 zero-click exploit, including against iOS 14.4 and iOS 14.4.2. The exploit, which researchers refer to as "Endofdays," used invisible iCloud calendar invitations sent to victims.
Once installed, Reign had a considerable amount of access to the various components of iOS and iPhone features, much like Pegasus did. This included:
- Recording audio of calls
- Recording the microphone
- Taking photographs using cameras
- Exfiltrating and removing items from the Keychain
- Generating iCloud 2FA passwords
- Searching through files and databases on the device
- Tracking the device's location
- Cleaning up traces of the software to minimize detection.
A self-destruct feature cleaned up the traces of the spyware, but also helped researchers identify if a victim was attacked using the surveillance tool.
A continuing privacy danger
QuaDream continues to operate. It managed to avoid being discovered for a considerable period of time because of efforts to avoid scrutiny.
The firm is also in a legal dispute with InReach, a Cyprus-based entity used to sell QuaDream's products outside of Israel. The dispute, over an apparent failure to transfer funds in 2019, helped researchers discover more about the companies, including their officers.
QuaDream is believed to have "common roots" with NSO Group, according to Citizen Lab, along with other companies within the Israeli commercial spyware industry, as well as intelligence agencies within the Israeli government.
Among the key individuals is a co-founder who was a former Israeli military official, and former NSO employees.
Citizen Lab says the report is "a reminder that the industry for mercenary spyware is larger than any one company, and that continued vigilance is required by researchers and potential targets alike."