Photo by Framesira / Shutterstock.com
Tel Aviv-based QuaDream is a relatively lesser-known alternative to popular spyware vendor NSO Group but as countries scramble to look for Pegasus alternatives, researchers suggest that new spyware from QuaDream is being used to hack iPhones running iOS 14 used by journalists, politicians and a social worker in 10 countries globally using “invisible iCloud calendar invitations sent from the spyware’s operator to victims”.
Researchers at The Citizen Lab and Microsoft Threat Intelligence analysed the Israeli spyware vendors’ iOS malware and found that it can record audio from calls and microphone, take pictures using both the front and rear camera, export or remove keychain items, generate iCloud 2FA passwords, search the device files and database, track location and then clean up after itself and disappear without leaving a trace in the device.
The researchers also found that the spyware had been used to target journalists, political opposition figures, and an NGO worker in one instance, in North America, Central Asia, Southeast Asia, Europe, and the Middle East.
The operator locations for the malicious payload were Bulgaria, Czechia, Hungary, Ghana, Israel, Mexico, Romania, Singapore, United Arab Emirates, and Uzbekistan. In simpler terms, government or non-government entities in these countries were likely spying using the malware.
The discovered spyware primarily targets devices running iOS 14.4 and 14.4.2, but researchers found out that some of the code can also be used to target Android devices. Moreover, it’s expected that QuaDream will update the payload to target more recent versions of iOS — 15 and 16.
While QuaDreams hasn’t gained the level of notoriety its Israeli counterpart NSO has, in 2021 Haaretz reported that Saudi Arabia was buying spyware from QuaDream.
“Since the malware sample targets iOS 14, some of the techniques used in this sample may no longer work or be relevant on newer iOS versions. However, we assess it’s highly likely that DEV-0196 will have updated their malware, targeting newer versions to account for this,” researchers at Microsoft Threat Intelligence said.
Update [18/04]: QuaDreams has reportedly shut shop after this investigation surfaced
In the News: Samsung employees unwittingly leak internal documents, source code to ChatGPT