Share This Article
An Israeli company called QuaDream has been discovered selling a spyware tool that can attack iPhones, similar to the infamous Pegasus software sold by the NSO Group. Citizen Lab, which analyzed samples shared by Microsoft Threat Intelligence, found the Reign spyware to be used in at least five cases against political opposition figures, journalists, and others across North America, Central Asia, Southeast Asia, Europe, and the Middle East. Reign has reportedly been sold to governments including Singapore, Saudi Arabia, Mexico, and Ghana, and pitched to others including Indonesia and Morocco.
The spyware uses a suspected iOS 14 zero-click exploit called “Endofdays”, which deploys the software through invisible iCloud calendar invitations sent to victims. Once installed, Reign can access various components of iOS and iPhone features, including recording audio of calls, recording the microphone, taking photographs using cameras, exfiltrating and removing items from the Keychain, generating iCloud 2FA passwords, searching through files and databases on the device, tracking the device’s location, and cleaning up traces of the software to minimize detection.
The spyware also has a self-destruct feature that cleans up traces of the software and helps researchers identify if a victim was attacked using the surveillance tool.
QuaDream, which is believed to have “common roots” with NSO Group, has managed to avoid being discovered for a considerable period of time due to efforts to avoid scrutiny. The firm is also in a legal dispute with InReach, a Cyprus-based entity used to sell QuaDream’s products outside of Israel, over an apparent failure to transfer funds in 2019, which helped researchers discover more about the companies and their officers.
Citizen Lab warns that the report is “a reminder that the industry for mercenary spyware is larger than any one company, and that continued vigilance is required by researchers and potential targets alike”.