Israeli spyware software surveilling journalists, politicians

A secretive Israeli spyware company’s software has been used on journalists, political figures and a civil-society worker on three continents, researchers have found.

Digital forensics outfit Citizen Lab and Microsoft Threat Intelligence both published detailed reports on Tuesday about the Israeli spyware company QuaDream, which has kept a low public profile since its founding in 2016.

The company reportedly markets a surveillance platform called Reign to governments. Microsoft described it as “a suite of exploits, malware, and infrastructure designed to exfiltrate data from mobile devices.” Likely to evade export controls and oversight, the company sells its products outside of Israel through a Cyprus-based entity called InReach.

“QuaDream operates with a minimal public presence, lacking a website, extensive media coverage, or social media presence,” Citizen Lab wrote. “QuaDream employees have reportedly been instructed to refrain from mentioning their employer on social media.”

Microsoft researchers were able to detect two samples on iOS devices of the spyware, which they dubbed KingsPawn and attributed to QuaDream with high confidence. They shared the samples with Citizen Lab, who used them to detect the company’s spyware targeting five victims in North America, Europe, Central Asia, Southeast Asia and the Middle East. Citizen Lab also determined that “QuaDream systems,” including servers for receiving data and deploying exploits, operated from Bulgaria, Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, United Arab Emirates and Uzbekistan.

Citizen Lab also identified traces of a zero-click exploit they believe was used to deploy the spyware on iOS versions 14.4 and 14.4.2. The exploit uses calendar invitations that are invisible to the account owner and, after deployment, the spyware attempts to cover its tracks to prevent detection. Zero-click exploits infect a device without any activity by the user.

The researchers found that one of the samples discovered by Microsoft opened the door for an array of surveillance activities, including location tracking, the use of a device’s camera and file access.

“Like other, similar, mercenary spyware the implant has a range of capabilities from hot-mic audio recording of calls and the environment, to more advanced capabilities to search through the phone,” Citizen Lab wrote.

QuaDream — whose three founders include a former Israeli military official and two former employees of the prominent spyware company NSO Group — has remained out of the limelight until recently.

A Reuters investigation revealed last year that the company’s spyware had taken advantage of a security flaw in Apple’s products. And in a report last December, Meta revealed that it had removed about 250 Facebook and Instagram accounts “linked to Quadream.”

“This network engaged in a … testing activity between their own fake accounts, targeting Android and iOS devices in what we assess to be an attempt to test capabilities to exfiltrate various types of data including messages, images, video and audio files, and geolocation,” Meta wrote.

The use of spyware globally has been under a microscope recently after several high-profile incidents, including the discovery that dozens of politicians, journalists and businesspeople in Greece had been surveilled with the Predator spyware.

A massive leak of documents from the Mexican Defense Ministry revealed recently that the military has continued to use spyware to surveil civilians, and in the U.S. the Biden administration signed an executive order in late March banning the government’s use of commercial spyware.