iPhones hacked via invisible calendar invites to drop QuaDream spyware

Microsoft and Citizen Lab discovered commercial spyware made by an Israel-based company QuaDream used to compromise the iPhones of high-risk individuals using a zero-click exploit named ENDOFDAYS.

The attackers targeted a zero-day vulnerability affecting iPhones running iOS 1.4 up to 14.4.2 between January 2021 and November 2021, using what Citizen Lab described as backdated and "invisible iCloud calendar invitations."

When iCloud calendar invitations with backdated timestamps are received on iOS devices, they are automatically added to the user's calendar without any notification or prompt, allowing the ENDOFDAYS exploit to run without user interaction and the attacks to be undetectable by the targets.

Compromised devices belonged to "at least five civil society victims of QuaDream's spyware and exploits in North America, Central Asia, Southeast Asia, Europe, and the Middle East," Citizen Lab researchers said.

"Victims include journalists, political opposition figures, and an NGO worker. We are not naming the victims at this time."

The surveillance malware deployed in this campaign (dubbed KingsPawn by Microsoft) was also designed to self-delete itself and clean out any tracks from victims' iPhones to evade detection.

"We found that the spyware also contains a self-destruct feature that cleans up various traces left behind by the spyware itself," Citizen Lab said.

"Our analysis of the self-destruct feature revealed a process name used by the spyware, which we discovered on victim devices."

The spyware comes with a wide range of "features" based on Citizen Lab's analysis, from recording environmental audio and calls to allowing the threat actors to search the victims' phones.

The complete list of capabilities discovered while analyzing QuaDream's spyware includes the following:

Recording audio from phone calls Recording audio from the microphone Taking pictures through the device's front or back camera Exfiltrating and removing items from the device's keychain Hijacking the phone's Anisette framework and hooking the gettimeofday syscall to generate iCloud time-based one-time password (TOTP) login codes for arbitrary dates. We suspect that this is used to generate two-factor authentication codes valid for future dates, in order to facilitate persistent exfiltration of the user's data directly from iCloud Running queries in SQL databases on the phone Cleaning remnants that might be left behind by zero-click exploits Tracking the device's location Performing various filesystem operations, including searching for files matching specified characteristics

Citizen Lab found QuaDream servers in multiple countries, including Bulgaria, the Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, United Arab Emirates (UAE), and Uzbekistan.

"Ultimately, this report is a reminder that the industry for mercenary spyware is larger than any one company, and that continued vigilance is required by researchers and potential targets alike," Citizeb Labs said.

"Until the out-of-control proliferation of commercial spyware is successfully curtailed through systemic government regulations, the number of abuse cases is likely to continue to grow, fueled both by companies with recognizable names, as well as others still operating in the shadows."

One year ago, Citizen Lab also revealed details on a zero-click iMessage exploit (dubbed HOMAGE) that was used to install NSO Group spyware on the iPhones of Catalan politicians, journalists, and activists.

Commercial spyware provided by surveillance tech providers such as NSO Group, Cytrox, Hacking Team, and FinFisher has been repeatedly deployed on Android and iOS devices vulnerable to zero-day flaws (in most cases via zero-click exploits undetectable by the targets).