Invisible Calendar Invites Used to Deploy QuaDream Spyware on iPhones

Researchers from Citizen Lab and Microsoft have uncovered a new campaign that utilized a zero-click exploit named ENDOFDAYS to compromise iPhones with QuaDream spyware. The Israel-based company QuaDream developed the commercial spyware, which targeted high-risk individuals such as journalists, political opposition figures, and NGO workers in North America, Central Asia, Southeast Asia, Europe, and the Middle East.

Between January and November 2021, the attackers exploited a zero-day vulnerability affecting iPhones running iOS 14.4 to 14.4.2. The exploit was delivered via backdated and “invisible” iCloud calendar invitations, which were automatically added to the user’s calendar without any notification or prompt. This allowed the ENDOFDAYS exploit to run without user interaction and made the attacks undetectable by the targets.

The surveillance malware used in this campaign, dubbed KingsPawn by Microsoft, was designed to self-delete and clean up any traces it left behind on the victims’ iPhones, evading detection. Citizen Lab’s analysis revealed the spyware’s self-destruct feature, which exposed a process name used by the malware found on victim devices.

QuaDream’s spyware offered a wide range of capabilities, including:

• Recording phone calls
• Capturing audio via the microphone
• Taking photos with the device’s camera
• Extracting and removing items from the keychain
• Stealing files
• Tracking the device’s location
• Deleting forensic traces of its existence

While QuaDream has largely managed to stay under the radar, Israeli newspaper Haaretz reported in 2021 that it sold its products to Saudi Arabia. Additionally, Reuters reported that QuaDream sold an iPhone exploit comparable to the one provided by NSO Group.

Citizen Lab discovered QuaDream servers in Bulgaria, the Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, the United Arab Emirates (UAE), and Uzbekistan. QuaDream does not operate the spyware itself, but its government customers do, a common practice in the surveillance technology sector.

This is not the first time Citizen Lab has exposed a zero-click exploit. A year ago, the organization revealed details on the HOMAGE exploit, which was used to install NSO Group spyware on the iPhones of Catalan politicians, journalists, and activists. Commercial spyware from surveillance tech providers such as NSO Group, Cytrox, Hacking Team, and FinFisher has been repeatedly deployed on Android and iOS devices vulnerable to zero-day flaws, often through zero-click exploits undetectable by the targets.

The discovery of QuaDream’s malware highlights the fact that the spyware industry is not only made up of NSO Group, but there are several other companies, most of which are still flying under the radar. As a result, Citizen Lab emphasizes the need for continued vigilance by researchers and potential targets and calls for systemic government regulations to address the out-of-control proliferation of commercial spyware.