Researchers from Microsoft and digital rights group Citizen Lab have discovered that QuaDream, a little-known Israeli mercenary spyware provider, used rogue calendar invites to hack iPhones of journalists, political opposition figures, and an NGO worker. QuaDream, known for developing zero-click exploits for iPhones, has been operating under the radar until recently. In 2021, it was reported that QuaDream sold its spyware to Saudi Arabia, and in the following year, it was revealed that the company sold an exploit similar to one provided by NSO Group. QuaDream’s customers were found to operate servers in various countries around the world, including Bulgaria, Czech Republic, Hungary, Romania, Ghana, Israel, Mexico, Singapore, United Arab Emirates (UAE), and Uzbekistan.
Both Citizen Lab and Microsoft published technical reports on QuaDream’s alleged spyware, stating that the exploit used by QuaDream’s government hackers was developed for iOS 14 and was a zero-day exploit at the time, meaning it was unknown to Apple and unpatched. The hackers used malicious calendar invites with past dates to deliver the malware, which did not trigger a notification on the phone, making it invisible to the target. Apple has stated that there is no evidence showing the exploit has been used after March 2021, when an update was released.
Citizen Lab has refrained from naming the victims to protect their privacy, but noted that they are located in different countries, which makes it harder for them to come forward. QuaDream was found to use a Cyprus-based company called InReach to sell its products, allegedly bypassing Israeli export regulations. However, QuaDream was unable to deliver its products to certain countries in Africa due to changes in Israeli regulations. The source also claimed that QuaDream has recently shut down its Android division and is now focusing on iOS only.
The discovery of QuaDream’s malware highlights that the spyware industry is not limited to NSO Group, but includes other lesser-known companies. The industry has evolved from being dominated by companies like Hacking Team and FinFisher to include multiple players that operate under the radar.
