Microsoft and Citizen Lab discovered commercial spyware made by an Israel-based company QuaDream used to compromise the iPhones of high-risk individuals using a zero-click exploit named ENDOFDAYS.
The attackers targeted a zero-day vulnerability affecting iPhones with backdated and “invisible iCloud calendar invitations.” These invitiations received on iOS devices are automatically added to the user’s calendar without any notification or prompt, allowing the ENDOFDAYS exploit to run without user interaction and the attacks to be undetectable by the targets. The spyware also contains a self-destruct feature that cleans up various traces left behind by the spyware itself.
The spyware is:
– Recording audio from phone calls
– Recording audio from the microphone
– Taking pictures through the device’s front or back camera
– Exfiltrating and removing items from the device’s keychain
– Hijacking the phone’s Anisette framework and hooking the gettimeofday syscall to generate iCloud time-based one-time password (TOTP) login codes for arbitrary dates.
– Running queries in SQL databases on the phone
– Cleaning remnants that might be left behind by zero-click exploits
– Tracking the device’s location
– Performing various filesystem operations, including searching for files matching specified characteristics
iPhone hacked via invisible calendar invite with Spyware
