As the Pegasus spyware has begun to wane, Citizen Lab reports that a new vendor called “QuaDream” is rising to take its place.
Like Pegasus, the new provider is based in Israel and appears to work exclusively with government clients. However, it has provided its spyware to governments that appear to have used it to track activists, journalists and political opponents among other questionable uses.
And, like Pegasus, this spyware appears to make use of zero-days that can compromise mobile devices without the target having to click on anything.
QuaDream spyware deployed for questionable purposes in UAE, Hungary and Mexico
The Citizen Lab report does not name the victims that have been tracked by QuaDream spyware, but says that there are five in total that have been identified thus far and that they are members of “civil society” (presumably not under investigation for some sort of crime). The report also does not pair these victims to specific countries but does name the United Arab Emirates, Hungary and Mexico as “countries of concern.” Citizen Lab says that the victims are journalists, political opposition figures and at least one is an NGO employee.
QuaDream appears to be on the rise thanks to a “zero-click” and previously unseen exploit that is confirmed to work against iOS versions 14.4 and 14.4.2, and may work against other versions. Apple patched the Pegasus vulnerability out of iOS with version 14.8 (released in September 2021), but Citizen Lab identifies this as something different called “ENDOFDAYS.” The exploit appears to target iCloud calendar invitations rather than iMessage.
QuaDream keeps an extremely limited public profile, to a very unusual degree for a business looking to market a product. It has no public-facing website or social media accounts, and media coverage has been very thin though the company has been in business since 2014. It was founded by a partnership that includes two former members of NSO Group, the company behind the Pegasus spyware. But recent news of its exploits being leveraged has revealed that it sells its product to a broad variety of countries.
Much of what is publicly known about the company’s business has been revealed via a legal dispute it is in with Cyprus-based InReach, which QuaDream approached in 2017 about promoting its spyware outside of Israel. QuaDream has taken InReach to court over failure to pay its agreed-upon share of revenue from the sale of this spyware, withholding some $6 million in total in what QuaDream alleges was an attempt to commit fraud via a secret Swiss bank account that it took pains to hide.
Reuters and other media sources report that attempts to visit QuaDream’s headquarters have been met with no one answering the door, and attempts to contact listed personnel yield no returned calls. This differs from NSO Group’s approach during the “Pegasus Papers” reporting, as the spyware vendor maintained at least some level of contact with the media about it throughout.
QuaDream spyware provides free-ranging access to compromised devices
The scope of the QuaDream spyware (called “KingsPawn”) appears to be similar to what Pegasus has been offering, giving the attacker access to essentially all of the media, inputs and outputs on the compromised device. An attacker can record microphone and phone call audio, access stored files and both cameras, track GPS location, exfiltrate keychain items and generate iCloud 2FA passwords. The spyware also has a “cleanup” function that removes evidence of its activities. Data exfiltration takes place via HTTPS POST request, using what appear to be self-signed validation certificates.
The discovery originates from Microsoft’s threat intelligence team, which first observed the QuaDream spyware at work on older iPhone models. A previous version of the company’s product, called “Reign,” was making use of the same iOS vulnerability that Pegasus exploited in 2021 before it was patched out. Meta also published a public report on the group’s spyware in December 2022 after it found QuaDream was making use of some 250 fake Facebook accounts as part of their system. An anonymous source that spoke to TechCrunch claims that QuaDream has entirely given up on Android spyware and is putting all of its focus on Apple devices, perhaps as likely targets also make the jump out of privacy concerns.
Microsoft also announced that it believes a previously unidentified threat group that it dubbed “DEV-0196” is part of QuaDream’s spyware operation. The secretive company may be offering governments hacking capabilities in a “cyber mercenary” capacity in addition to its platform. The threat group has left a trail of rentals of inexpensive web hosting that it pays for in cryptocurrency.
iPhones are famous for their longevity and for Apple’s long-term support for older models, but this incident reaffirms the need for all device users to keep up with OS updates (anything prior to 14.8 is still potentially vulnerable to both Pegasus and QuaDream). The oldest iPhone that can still be updated to this level is the 6s.
Shridhar Mittal, CEO at Zimperium, provides some further insights into the risks of government spyware: “During 2022, Zimperium detected thousands of unique mobile spyware samples. There are two main classes of mobile spyware: nation-state level solutions like those from organizations like QuaDream that often leverage zero-click vulnerabilities and those that leverage less sophisticated delivery techniques, such as social engineering, to infect devices. While the delivery techniques vary, there are hardly any differences in the spying capabilities of both classes once the device has been infected. There is no denying that these threats are real and continue to be a growing problem, which isn’t just impacting government entities and high-profile targets like journalists and activists, but is a threat to all corporate employees.”