Suspected Apple iOS Zero-Day Used to Spread 'Reign' SpywareThe Spyware Can Record Audio, Take Pictures, Track Locations and Steal Passwords
A low-profile Israeli advanced spyware firm used a suspected zero-day to surveil the lives of journalists, political opposition figures and a nongovernmental organization worker across multiple continents, say researchers from the Citizen Lab and Microsoft.
The researchers, in reports unveiled Tuesday, say software developed by QuaDream and marketed as "Reign" can record audio, take pictures, track location and steal passwords. Governments from at least 10 countries are customers, they say.
The Citizen Lab said evidence shows that hackers exploited a zero-click zero-day it dubbed EndOfDays in the Apple mobile operating system that went unpatched for at least the first few months of 2021. Microsoft disclosed more than 200 web domains it said are associated with QuaDream malicious activity. It shared malware samples with the Citizen Lab as part of an investigation into advanced threats.
An Apple spokesman said there is no indication that the EndOfDays exploit could be used since it released an iOS update on March 26, 2021.
Major technology firms including Microsoft and Apple have led public campaigns against commercial surveillance groups including the more far more famous Israeli firm NSO Group. Microsoft characterizes the roughly three dozen known global vendors of smartphone spyware as "cyber mercenaries." They "stockpile vulnerabilities and search for new ways to access networks without authorization. Their actions do not only impact the individual they target, but leave whole networks and products exposed and vulnerable to further attacks," wrote Amy Hogan-Burney, Microsoft head of cybersecurity policy and protection, in a blog post.
The U.S. government has ramped up regulatory pressure on the industry, most recently through a White House executive order that significantly limits federal agencies' ability to acquires licenses (see: US Limits Government Use of Advanced Smartphone Spyware). A European Parliament committee is investigating use of the technology although some members have accused members' governments of stonewalling and the European Commission of complicity (see: EU Complicit in Spread of Advanced Spyware, Charges Veld).
QuaDream "operates with a minimal public presence," the Citizen Lab said. The company lacks a website and Reuters reported in 2022 that employees are told not to refer to their employer on social media. Some information about the company came to light in a legal dispute QuaDream has with a Cyprus-register company named InReach. The Citizen Lab said InReach distributed licenses internationally with the partnership between the two companies designed as a way to avoid export controls. Israeli newspaper Haaretz first reported on the QuaDream and InReach connection in 2021.
The Citizen Lab said Reign malware can leave a residue on infected devices once removed. Researchers call the traces "Ectoplasm Factor" but they said they wouldn't disclose technical indicators, since they could be used to detect future infections. They identified at least five victims located in North America, Central Asia, Southeast Asia, Europe and the Middle East. Reign operators appeared to be located in Europe, including in Bulgaria, the Czech Republic, Hungary and Romania, as well as in Ghana, Israel, Mexico, Singapore, the United Arab Emirates and Uzbekistan.
Government hackers who deployed the EndOfDays exploit infected smartphones through invisible iCloud calendar invitations. The malware contained code that cleaned up evidence of its presence by deleting calendar events associated with a specific email address listed as the organizer. It also removed a record of iCloud accounts the device interacted with using certain Apple services such as iMessenger.