An Israeli surveillance company has been found infecting iPhones with spyware, possibly by exploiting Apple’s iCloud calendar invitation system.
The findings come from Microsoft and watchdog group Citizen Lab, which investigated spyware samples that allegedly come from Israel-based QuaDream. The spyware, dubbed “EndofDays,” was used back in 2021, and leveraged a “zero-click” exploit—or an attack that can hijack an iPhone without requiring the user to click on anything.
Once it infects, EndofDays can record audio from phone calls, secretly take pictures, and search through the device for files, among other capabilities, including a self-destruct function that can wipe traces of the spyware.
The self-erasing abilities make it difficult to understand the full scope of the attack. But in its report, Citizen Lab uncovered evidence that QuaDream was likely using “invisible iCloud calendar invitations sent from the spyware’s operator to victims” in order to deliver the attack.
The spyware samples themselves contain an ability to delete events from the iOS calendar associated with a specific email address. Citizen Lab also examined the iPhones belonging to two victims of the spyware that showed traces of tampering through calendar invite ICS files.
“We suspect that the attacker’s use of closing and opening CDATA tags in the .ics could potentially facilitate the inclusion of additional XML data that would be processed by the user’s phone, in order to trigger some behaviour desired by the attacker,” Citizen Lab said.
Hence, it’s possible the spyware arrived through emails carrying the malicious calendar invites. Citizen Lab researcher Bill Marczak also notes the malicious calendar invites were for events logged in the past, which stopped iCloud from automatically notifying users about the invites. However, researchers were unable to recover any XML data from the ICS files.
Citizen Lab’s report goes on to say EndofDays infected at least five victims including journalists, political opposition figures, and an NGO worker. The victims were based in North America, Central Asia, Southeast Asia, Europe, and the Middle East.
Although Apple appears to have patched the spyware exploit in 2021 through various software updates, Microsoft says it’s “highly likely” QuaDream has updated their tactics to hijack iPhones on the latest versions of iOS.
QuaDream maintains a shadowy presence; the company has no public website or social media accounts. But according to Reuters, QuaDream has sold its spyware technologies to law enforcement clients in Mexico, Saudi Arabia, and Singapore.
Citizen Lab also published evidence showing that QuaDream maintains servers in 10 countries to exfiltrate data from devices infected with the company’s spyware, including the Czech Republic, Mexico, Romania, Ghana, and the United Arab Emirates.
“Ultimately, this report is a reminder that the industry for mercenary spyware is larger than any one company, and that continued vigilance is required by researchers and potential targets alike,” Citizen Lab added.
An Apple spokesperson told PCMag there's no evidence that the exploit from QuaDream was used since iOS 14.4.2 shipped back in March of 2021. The company has also developed an optional new "Lockdown Mode," which can stymie hacking attempts from professional spyware companies.