New Report Blows the Lid on Another iPhone Spyware
The Reign spyware has audio and call recording, picture taking, location tracking, self-destruct, and other functionality.
Hackers have been using Israel-developed spyware to target journalists, political opposition figures, and non-government organization workers using iPhones and operating across North America, Central Asia, Southeast Asia, Europe, and the Middle East.
According to two reports published this week by Microsoft and the University of Toronto’s Citizen Lab, spyware developed by a relatively obscure Israel-based company, QuaDream, has a significant clientele. This includes the federal governments of Singapore, Saudi Arabia, Mexico, and Ghana. Israel’s Haaretz had previously reported that QuaDream sold the spyware to the Saudi government.
Moreover, based on the locations of the servers, the spyware is being operated out of Bulgaria, the Czech Republic, Hungary, Israel, Mexico, Romania, United Arab Emirates (UAE), Uzbekistan, Singapore, and Ghana as well.
6/ We aren't naming victims in this initial technical report, but the pattern is familiar to the commercial #spyware industry:
"untraceable" zero-click tool sold to global client list… leads to hacking of opposition members, journalists, NGO workers, and so on. pic.twitter.com/1q1tqd93e8
— John Scott-Railton (@jsrailton) April 11, 2023
Microsoft went so far as to refer QuaDream as a private sector offensive actor or PSOA and associated it with a threat group it tracks as DEV-0196. However, a 2022 Reuters report noted that QuaDream doesn’t operate the spyware and that its customers are responsible for it, as is the norm.
The QuaDream-developed spyware, marketed as Reign but named KingsPawn by Microsoft, exploits a zero-day vulnerability in iPhones. Dubbed ENDOFDAYS by Citizen Lab, the vulnerability impacts iOS versions 14.4 and 14.4.2 and possibly others.
Microsoft got a hold of two original Reign samples and shared them with Citizen Lab. “Sample 1 appeared to be a downloader designed to exfiltrate basic device information and download and execute an additional payload”, Citizen Lab noted.
“Sample 2 appeared to be a full-featured spyware payload. Nevertheless, both Sample 1 and Sample 2 shared highly distinctive commonalities, including largely identical functions for spawning processes.” The research lab detained sample 2’s functionality, which includes the following:
- Audio recording from phone calls
- Audio recording from the microphone
- Taking pictures (from the front or back camera)
- Exfiltrating and removing items from the device’s keychain
- Hijacking the phone’s Anisette framework and hooking the gettimeofday syscall to generate iCloud time-based one-time password (TOTP) login codes for arbitrary dates. We suspect this is used to generate two-factor authentication codes valid for future dates to facilitate persistent exfiltration of the user’s data directly from iCloud.
- Running queries in SQL databases on the phone
- Tracking the device’s location
- Performing various filesystem operations, including searching for files matching specified characteristics
Reign also has a self-destruct feature to wipe out any traces it may leave behind.
See More: Pirated Final Cut Pro Trojanized With Stealth Malware to Target Apple macOS
But before threat actors can unleash the spyware onto the target device, they must first gain access to it. This is achieved by sending invisible and predated iCloud calendar invitations from the spyware’s operator to victims.
Now, these calendar invites are automatically, not to mention surreptitiously, included in the calendar since they are designed not to send notifications to the user. Once added, this triggers the ENDOFDAYS exploit and sample 2 download.
“This pattern is a repetition of the abuses found with more notorious players, like NSO Group’s Pegasus spyware, Cytrox’s Predator spyware, and, before them, Hacking Team and FinFisher,” Citizen Lab researchers wrote. “The firm has common roots with NSO Group, as well as other companies in the Israeli commercial spyware industry and the Israeli government’s own intelligence agencies.”
In November 2021, Apple sued NSO Group, calling it an “amoral 21st-century mercenary.” Its role in developing and selling Pegasus to adversaries also attracted the ire of the U.S. government (Department of Commerce), which added NSO Group (along with Candiru) to the Entity List, effectively banning the country’s entities from trading with the company.
It remains to be seen if Apple will sue QuaDream as well.
In January 2022, Meta said the NSO Group is “only one piece of a much broader global cyber mercenary ecosystem.” The social networking giant also identified 50,000 users hailing from 100 countries that were spied upon in 2021 and seven private companies engaged in unethical and illicit surveillance of users across two of its platforms, Facebook and Instagram.
“Ultimately, this report is a reminder that the industry for mercenary spyware is larger than any one company and that continued vigilance is required by researchers and potential targets alike,” QuaDream researchers concluded.
“Until the out-of-control proliferation of commercial spyware is successfully curtailed through systemic government regulations, the number of abuse cases is likely to continue to grow, fueled both by companies with recognizable names, as well as others still operating in the shadows.”
How do you think iPhone users can safeguard themselves against this spyware? Let us know on LinkedIn, Twitter, or Facebook. We would love to hear from you!
Image source: Shutterstock
MORE ON MALWARE
