New Zero-Click iOS Exploit Deploys Israeli Spyware

Written by

Security researchers have discovered a new zero-click, zero-day exploit that targeted iPhone users in 2021 with commercial spyware produced by secretive Israeli firm QuaDream.

Microsoft and Citizen Lab teamed up to expose the campaign, which they say targeted at least five “civil society victims” across the globe, including journalists, political opposition figures and an NGO worker.

The exploit itself, dubbed “EndofDays,” uses invisible iCloud calendar invites sent by the spyware operator, Citizen Lab said in a lengthy post outlining its findings.

“On iOS 14, any iCloud calendar invitation with a backdated time received by the phone is automatically processed and added to the user’s calendar with no user-facing prompt or notification,” it explained.

The exploit was deployed against iOS versions 14.4 and 14.4.2, and potentially other versions, between January and November 2021.

Read more on commercial spyware: NSO Group Blacklisted by US for Trade in Spyware.

The spyware delivered by the exploit, dubbed “KingsPawn” by Microsoft, is linked to shadowy commercial malware maker QuaDream.

“Like other, similar, mercenary spyware the implant has a range of capabilities from hot-mic audio recording of calls and the environment, to more advanced capabilities to search through the phone,” Citizen Lab said.

“We found that the spyware also contains a self-destruct feature that cleans up various traces left behind by the spyware itself. Our analysis of the self-destruct feature revealed a process name used by the spyware, which we discovered on victim devices.”

The researchers identified over 600 servers linked to QuaDream spyware between late 2021 and early 2023, and found suspected operators in Bulgaria, Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, the United Arab Emirates (UAE) and Uzbekistan.

Up until now, the Israeli firm has managed to avoid the kind of negative publicity and US scrutiny impacting peers such as NSO Group and FinFisher. However, the report aims to set the records straight by identifying key individuals at the firm, many of whom have a background in the Israeli military.

The news comes just weeks after an executive order from President Joe Biden sought to prevent the US government from buying commercial spyware linked to anti-democratic practices. A tech industry coalition has also pledged to curb the impact of cyber-mercenary activity through a new initiative.

What’s hot on Infosecurity Magazine?