iPhone Hacked by QuaDream Spyware: Microsoft and Citizen Lab Report

Microsoft and Citizen Lab have discovered a new commercial spyware that has been used to compromise iPhones belonging to high-risk individuals, including journalists, political opposition figures, and an NGO worker.

The spyware was created by an Israel-based company called QuaDream, which used a zero-click exploit named ENDOFDAYS to target iPhones running iOS 1.4 up to 14.4.2 between January 2021 and November 2021.

How was the iPhone Hacked

The attackers used backdated and “invisible iCloud calendar invitations” to target iPhones. When iCloud calendar invitations with backdated timestamps are received on iOS devices, they are automatically added to the user’s calendar without any notification or prompt, allowing the ENDOFDAYS exploit to run without user interaction and making the attacks undetectable by the targets.

Victims of iPhone Hacked by QuaDream

Citizen Lab researchers found that at least five civil society victims had their iPhones hacked by QuaDream’s spyware and exploits in North America, Central Asia, Southeast Asia, Europe, and the Middle East. The researchers did not disclose the identities of the victims.

Features of QuaDream’s Spyware

The spyware deployed in this campaign, dubbed KingsPawn by Microsoft, was designed to self-delete itself and clean out any tracks from victims’ iPhones to evade detection. According to Citizen Lab’s analysis, the spyware comes with a wide range of features, including:

• Recording audio from phone calls
• Recording audio from the microphone
• Taking pictures through the device’s front or back camera
• Exfiltrating and removing items from the device’s keychain
• Hijacking the phone’s Anisette framework and hooking the gettimeofday syscall to generate iCloud time-based one-time password (TOTP) login codes for arbitrary dates. This is suspected to be used to generate two-factor authentication codes valid for future dates, in order to facilitate persistent exfiltration of the user’s data directly from iCloud.
• Running queries in SQL databases on the phone
• Cleaning remnants that might be left behind by zero-click exploits
• Tracking the device’s location
• Performing various filesystem operations, including searching for files matching specified characteristics

QuaDream’s Servers

Citizen Lab found QuaDream servers in multiple countries, including Bulgaria, the Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, United Arab Emirates (UAE), and Uzbekistan.

The discovery of QuaDream’s commercial spyware is another reminder of the growing industry for mercenary spyware, and the need for continued vigilance by researchers and potential targets alike. Without systemic government regulations, the abuse cases of commercial spyware is likely to continue to grow, fueled both by companies with recognizable names, as well as others still operating in the shadows.