An Israeli cyber mercenary firm, QuaDream, has been accused of developing spyware that was used to hack the iPhones of political opposition figures, journalists, and an NGO worker, according to two reports by Microsoft and digital rights group Citizen Lab.
The malicious software, which includes zero-click exploits that don’t require the target to click on malicious links, was delivered via calendar invites with dates in the past, which didn’t trigger a notification on the phone, making them invisible to the targets. The attacks reportedly took place using servers located in Bulgaria, Czech Republic, Hungary, Romania, Ghana, Israel, Mexico, Singapore, United Arab Emirates (UAE), and Uzbekistan.
Citizen Lab and Microsoft’s reports show that the government hackers who used QuaDream’s exploit were able to hack more than five iPhones running on iOS 14, which was unpatched and unknown to Apple at the time. This made it a so-called zero-day exploit. The malware was designed to download actual malware if it was on the device of the intended target. The final payload was capable of recording phone calls and audio using the phone’s microphone surreptitiously, taking pictures, stealing files, tracking the person’s granular location, and deleting forensic traces of its own existence, among other functionalities.
Citizen Lab researchers, who do not want to name the victims, said that the malware does leave certain traces that allowed them to track QuaDream’s spyware. However, the researchers do not want to reveal these traces to retain their ability to track the malware. They called the traces of malware the “Ectoplasm Factor,” a name inspired by a quest in the popular game Stardew Valley, which a senior researcher at Citizen Lab said he plays.
According to Apple representative Scott Radcliffe, there is no indication that the attack disclosed by Microsoft and Citizen Lab was utilized after March 2021, when the firm delivered a fix. Citizen Lab researchers also stated that QuaDream sold its products through a Cyprus-based firm named InReach, circumventing the Israeli export authority, however the company did not totally avoid restrictions.
The sources for this piece include an article in TechCrunch.