Pegasus has become about as close to a “household name” as spyware ever has, drawing extended mainstream media coverage and the special security attention of Apple. Though that threat may be on the wane, the market for this sort of invasive tracking software remains robust and other players are stepping up.
A recent report from Citizen Lab finds that Israel-based QuaDream, founded in part by several former members of Pegasus developer NSO Group, is likely the new go-to for repressive governments that want to track dissidents and political opposition. QuaDream’s products are similar in that they target both iOS and Android devices and have been spotted deploying zero-days, including at least one “zero-click” that can compromise a target upon receipt.
Spyware from QuaDream differs from Pegasus patterns
The report references at least two QuaDream products, “Reign” and “KingsPawn,” that use different approaches than those seen in the Pegasus spyware. However, patching that undid Pegasus may have also cut off some of QuaDream’s access.
When targets are compromised by QuaDream, they can expect the same level of attacker access granted to Pegasus spyware users: generally free reign on the phone to take any kind of file or intercept any kind of communication. Attackers can also activate microphones and cameras, and track the target’s GPS location. And, like Pegasus, QuaDream’s products are hard to detect as they are designed to clean up their own traces even as they actively exfiltrate files.
“Reign” was reportedly hobbled by Apple’s 2022 patches to address Pegasus, though it appeared to be getting to targets in a somewhat different way. Apple mobile devices must be updated to at least iOS 14.8 to be protected from both forms of spyware, which puts devices from about 10 years ago beyond help.
QuaDream also reportedly does not just provide spyware, but also the active intervention of its own private team of hackers. This would be a step beyond Pegasus, which provided consultation with clients on how to use the software but was not known to field active agents that assist in breaches. Microsoft says that a previously unknown team called “DEV-0196” is working for QuaDream in essentially a mercenary capacity.
QuaDream business focuses on nation-states
Citizen Lab reports five known victims of QuaDream spyware thus far. Among this group are political opposition, journalists and NGO workers that are thought to be tracked for humanitarian or activist action rather than for suspicion of involvement in crime.
The QuaDream spyware also has at least one zero-click exploit in its arsenal, part of an attack method called “ENDOFDAYS” by the researchers. It exploits a code flaw in iCloud calendar invitations, sending an invisible message that the target may not even realize they’ve received, and is know to work on at least some versions of iOS prior to 14.8. This differs from the iMessage approach used by Pegasus, but something about Apple’s security updates may have also nullified QuaDream’s technique.
It is hard to say exactly who QuaDream is providing spyware to, given that it keeps a much lower public profile than Pegasus (which required internal leaks to determine the extent of its operations). Citizen Lab says that the UAE, Hungary and Mexico are “countries of concern” and notes that the spyware has been sold to Saudi Arabia and Ghana among other nations. Some of these names previously popped up in the Pegasus files in terms of tracking journalists and activists.