wordpress blog stats
Connect with us

Hi, what are you looking for?

Microsoft and The Citizen Lab identify new Israeli spyware QuaDream: Here’s how it works

The spyware used invisible iCloud calendar invitations sent from the spyware’s operator to victims, which would then be automatically added to the user’s calendar

Microsoft Corp and internet watchdog The Citizen Lab, in their reports, have identified at least 10 countries where an Israeli spyware company QuaDream targeted at least five civil society victims including journalists, political opposition figures, and an NGO worker.

“…Once QuaDream infections become discoverable through technical methods, a predictable cast of victims emerged: civil society and journalists. This pattern is a repetition of the abuses found with more notorious players, like NSO Group’s Pegasus spyware, Cytrox’s Predator spyware, and before them Hacking Team and FinFisher,” said The Citizen Lab report.

What is QuaDream? QuaDream is an Israeli surveillance technology company that specializes in the development and sale of advanced digital offensive technology to government clients. It was founded by a group including two former NSO Group employees, Guy Geva and Nimrod Reznik. The NSO Group is the company that developed the Pegasus spyware that had created quite a buzz in India.

STAY ON TOP OF TECH POLICY: Our daily newsletter with the top story of the day, delivered to your inbox before 9 AM. Click here to sign up today! 

Which countries have QuaDream systems?

On scanning the internet, The Citizen Lab identified Bulgaria, Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, United Arab Emirates (UAE), and Uzbekistan as the countries where there are QuaDream systems. Of these, Hungary, Mexico, and the UAE are known to abuse spyware to target human rights defenders, journalists, and other civil society members.

Advertisement. Scroll to continue reading.

Suspected locations of QuaDream operators | Citizen Lab

How does QuaDream hack into user device?

The Citizen Lab report identified traces of a “suspected iOS 14 zero-click exploit” used to deploy QuaDream’s spyware. This essentially means that the cyberattack was carried out without the user’s intervention. Dubbed ENDOFDAYS, the exploit was deployed against iOS versions 14.4 and 14.4.2, and possibly other versions. It uses invisible iCloud calendar invitations sent from the spyware’s operator to victims. These invites would be back-dates and so, on iOS 14, these would be automatically processed and added to the user’s calendar without a notification.

What can the spyware do?

The Microsoft Threat Intelligence shared with the internet watchdog two samples (Samples 1 and 2) of iOS spyware that they call KingsPawn and attributed them to QuaDream “with high confidence.” As per the Microsoft report, some of the codes in these samples can also be used on Android devices. After analyzing the samples, The Citizen Lab identified Sample 2 as the “final spyware payload” that can hot-mic audio recording of calls and the environment and even search through the phone.

Specifically, The Citizen Lab report said, “Sample 2 appears to have functionality for:

  • Recording audio from phone calls
  • Recording audio from the microphone
  • Taking pictures through the device’s front or back camera
  • Exfiltrating and removing items from the device’s keychain
  • Hijacking the phone’s Anisette framework and hooking the gettimeofday syscall to generate iCloud time-based one-time password (TOTP) login codes for arbitrary dates. We [The Citizen Lab] suspect that this is used to generate two-factor authentication codes valid for future dates, in order to facilitate persistent exfiltration of the user’s data directly from iCloud
  • Running queries in SQL databases on the phone
  • Cleaning remnants that might be left behind by zero-click exploits
  • Tracking the device’s location
  • Performing various filesystem operations including searching for files matching specified characteristics.”

The spyware also contains a self-destruct feature that cleans up its own traces. Then there is the “Calendar Cleanup” function of the spyware that deletes specific calendar events from the iOS calendar whose “start date is after 728 days ago” and who matches a “supplied email address.”.

“The functions appear to be executed when a special cleanup command is received from the spyware’s command-and-control server. The cleanup command includes an email address that specifies the scope of the cleanup,” said The Citizen Lab.

As per Microsoft’s report, the spyware can also get device information like the iOS version and battery status, Wi-Fi information (SSID and airplane mode status), cellular information (carrier, SIM card data, and phone number), monitor phone calls, generate an iCloud time-based one-time password (TOTP).

Advertisement. Scroll to continue reading.

Why it matters: Reports like these highlight that there is a large industry for mercenary spyware that threaten the work of journalists and civil society groups. It’s no longer only governments but even private entities that have access to such surveillance. It is worrisome that some countries suspected of having QuaDream customers are known for their attacks on human rights defenders. India too has been flagged for its failure to act on a spyware like Pegasus. Thus, it is important to understand the manner in which these spywares invade and monitor individuals’ devices.

Indian government’s interest in spyware

In 2022, the Organised Crime and Corruption Reporting Project (OCCRP) in an investigation said that the Indian government received a shipment containing hardware that resembles equipment used in the deployment of Pegasus. As per the investigation, India’s principal intelligence agency, Intelligence Bureau, purchased the hardware in April 2017 from the NSO Group.

However, in 2021, Bloomberg reported that the NSO group was in danger of defaulting on its debts and was considering shutting down its Pegasus spyware unit or selling the entire company. While this might mean a win for privacy, it also means that governments across the globe, including India, could end up looking for alternative technologies.

According to The Citizen Lab’s report, “Until the out-of-control proliferation of commercial spyware is successfully curtailed through systemic government regulations, the number of abuse cases is likely to continue to grow, fueled both by companies with recognizable names, as well as others still operating in the shadows.”

In its report, the internet watchdog also included a list of “key individuals” associated with QuaDream and InReach through a review of corporate documents, newspaper articles, etc., which may be viewed here. The list includes Geva and Rinsky who were involved in the Pegasus spyware as well.

Advertisement. Scroll to continue reading.

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Also Read:

Written By

I'm interested in the shaping and strengthening of rights in the digital space. I cover cybersecurity, platform regulation, gig worker economy. In my free time, I'm either binge-watching an anime or off on a hike.

Free Reads


The service from the tie-up will initally be launched at Bengaluru, Bhubaneswar, Vijayawada and Visakhapatnam railway stations


The Minister's response came after an X user posted answers generated by Gemini regarding Prime Minister Narendra Modi.


Vaishnaw said that in the next five years, there will be significant disruptions in the way telecom technology operates.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Notably, Indus Appstore will allow app developers to use third-party billing systems for in-app billing without having to pay any commission to Indus, a...


The existing commission-based model, which companies like Uber and Ola have used for a long time and still stick to, has received criticism from...


Factors like Indus not charging developers any commission for in-app payments and antitrust orders issued by India's competition regulator against Google could contribute to...


Is open-sourcing of AI, and the use cases that come with it, a good starting point to discuss the responsibility and liability of AI?...


RBI Deputy Governor Rabi Shankar called for self-regulation in the fintech sector, but here's why we disagree with his stance.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ