The trust and importance we place in our smartphones are growing, and with it, the number of tasks they handle for us, and the amount of data they see passing by and recording. Let’s imagine for a moment that our favorite banking application is the victim of an unprecedented data leak, or that spyware hidden on your smartphone sneaks in all your precious information. Just kidding, but imagine…
Putting an end to QuaDream’s spyware, REIGN
QuaDream is preparing to cease operations, Israeli business daily Calcalist reveals on the 16th of April. According to an investigation conducted by Microsoft’s team of security researchers in early April, the DEV-0196 or “KingsPaw” cyber threat is linked to the Israeli company Quadream, which sells a large-scale surveillance platform REIGN mainly to States and police forces around the world. QuaDream was founded by the former employees of NSO, the group behind the massive spying software Pegasus.
REIGN is a suite of exploits, malware and infrastructure designed to exfiltrate data from mobile devices, Microsoft explains.
Microsoft’s security team believes that the group DEV-0196 is actively using this model, selling malware services to governments. Citizen Lab, an interdisciplinary laboratory based at the Munk School of the University of Toronto, has supported their investigation, which identified traces of an iOS 14 zero-click exploit used to deploy this spyware.
Let’s scare ourselves for a while:
Citizen Lab’s survey reveals the following: The exploit used, named ENDOFDAYS uses invisible iCloud calendar invitations sent by the malware operator to the victim with a timestamp set to a previous date, which causes the iCloud application to add the invitation automatically without notifying the user.
This attack is, therefore, undetectable and allows attackers to:
- retrieve audio recordings of phone calls and microphone
- take pictures with the device’s cameras
- execute SQL queries on the device
- track the location of the device
- generate valid two-factor authentication codes later to retrieve user data stored on iCloud.
In addition to these “features”, a log monitoring agent is responsible for reducing the forensic footprint of the spyware to make detection more difficult and hinder investigations. It identifies files that correspond to crashes or traces of malicious code execution and removes them.
QuaDream’s servers have been found in many countries, including the Czech Republic, Hungary, Israel, Ghana, Mexico, Bulgaria, Singapore, UAE, Romania and Uzbekistan and at least five civil society victims of the DEV-0196 malware have been listed, including journalists, political opponents and an NGO employee. Still, the list of people spied on is most probably much longer.
This attack corresponds to a very precise and quite rare type of attack among the many ransomwares available on the market: the zero-click attacks.
What are Zero-click attacks?
Zero-click attacks are very convenient: as we have seen, they do not require any user action, which makes them very interesting for surveillance tasks. Often, the users of these attacks remain hidden for several years before the attack is discovered. This was the case for Pegasus (from 2013 to 2020).
As they are powerful vulnerabilities allowing these attacks are extremely valuable; in 2019, Zerodium, an American Information security company, gave a bounty of almost 2 million dollars for a Zero-click vulnerability on a smartphone. And that number must have increased since then.
Why does the spyware industry grow?
According to Steven Feldstein and Brian Kot, between 2011 and 2023, at least seventy-four governments contracted with commercial firms to obtain spyware or digital forensics technology (2023), “Global Inventory of Commercial Spyware & Digital Forensics,””, Mendeley Data.
The fact is: there is a high ongoing demand for intrusion technologies. So when a supplier is sanctioned, the market quickly fills the gap and new suppliers appear like QuaDream succeeds in the NSO group.
In addition to the top-level spyware sold by firms such as NSO group or Cytrox, the last few years have seen the massive arrival of a second tier of providers consisting of spyware companies, fly-by-night hacking operations, exploit brokers and other similar groups.
As digital giants come under increasing scrutiny by democratic governments regarding their practices, there has been a corresponding increase in malware using open-source code. These trends have made attacks much less costly for private actors and governments. Moreover, the “noise” generated by the sheer number of sources and the number of openly developed applications makes their identification nearly impossible and makes denial plausible or even likely.
If we add to this the lack of action by governments regarding the human rights abuses induced by this malware, leaving many companies to exploit legal loopholes or simply countries with weak control over exported data, we get a context favorable to the proliferation of spyware.
The use of those solutions by governments is not limited to weapons designed specifically for the purpose of spying on users. Many widely deployed applications are also prone to the implementation of spyware.
Pinduoduo: a large-scale spyware
With many applications collecting large amounts of user data, sometimes without explicitly asking for consent, Security experts say that the e-commerce giant Pinduoduo is violating privacy and data security.
The evidence of malware in the Pinduoduo app comes as Chinese apps, such as TikTok, are more and more subject to the scrutiny of security specialists due to data security concerns.
At the beginning of April, many experts identified the presence of malware on the Pinduoduo app that exploits vulnerabilities in Android operating systems. Company insiders said these exploits were used to spy on users and competitors, allegedly to increase sales. The findings follow Google’s suspension of Pinduoduo from its Play Store in March due to the identification of malware in some versions of the app.
We haven’t seen a mainstream app like this trying to escalate their privileges to gain access to things that they’re not supposed to gain access to, said Mikko Hyppönen, chief research officer at WithSecure
Pinduoduo is the case that generated the most noise, but it is not unique and must push governments and current authorities to put in place more restrictive measures and stricter controls concerning the use on the territory of applications from abroad.
Control and monitoring entities are being set up slowly in Europe and within countries.
The PEGA Committee
The PEGA Committee is an EU commission created in March 2022 to investigate Pegasus and other spyware surveillance, focusing on targeting journalists, diplomats, lawyers, law enforcement officers and more generally influential European political figures.
The commission is composed of 38 members and has already delivered a draft report in November 2022. The final version of this report should be available within the next few months. The study will focus on third countries and members of the European Union that use surveillance solutions conflicting with the European Charter of Fundamental Rights.
On the 16 of March 2023, the commission was asked by Rowland Corr, Vice president of government relations at Enea, to broaden its scope by highlighting the fact that other forms of espionage beyond the use of spyware were regularly occurring on mobile networks that were relevant to the Committee’s concerns.
An insufficient response from the EU
As of today, the response from the EU regarding the use of spyware needs to be stronger. According to Rowland Corr, this area of risk is not sufficiently understood, reported, or integrated at the national level. Critical infrastructure protection, cybersecurity, and national security intersect when it comes to mobile network security.
The commission’s first draft report, published in November 2022, states that national governments “deliberately ignore and violate EU laws” and highlights a lack of transparency, recourse and control mechanisms to ensure that the use of spyware by national intelligence and law enforcement agencies is proportionate and respects the rights of European citizens.
The main obstacle is that any national security initiative, if it is to succeed, must be coupled with a broader discussion of the division of authority between the EU institutions and the member states. For example, giving the European Union Agency for Police Cooperation (Europol) more investigative powers would likely be seen by national agencies as an encroachment on a crucial area of their sovereignty.
With several national authorities already refusing to participate in PEGA’s activities, European officials are likely to favor more pragmatic means of combating the proliferation of spyware.
How to avoid blinking in the crowd
The good news is that the chances of a regular user being targeted are quite low. But if you are ever attacked, you’re cooked; all you can do is burn your smartphone and get a new one.
This does not mean that you are completely defenseless: setting up good hygiene for your smartphone use is a good way to protect yourself:
- keep your phone and applications up to date
- download from official stores
- use multiple authentication factors
- block pop-ups on the internet
- use a firewall
- only open links or attachments in emails if you know the sender.
- Make regular backups to keep your data in case your device is compromised.
- Use 2 different smartphones, especially if you work in a sensitive environment.
Finally, let’s remember that our smartphones are no more secure than our computers, and we must be even more vigilant when using them. The Internet is a hostile place; treat it as such.
Quadream, le Pegasus bis déjà débranché
Source : Le Monde Informatique
Author : Dominique Filippone
Date : April 18, 2023
Linked to the DEV-0196 malware recently discovered by Microsoft and Citizen Lab, the Israeli company Quadream will shut down its operations in the coming days. Its Reign suite of large-scale surveillance tools was used for malicious purposes.
Why Does the Global Spyware Industry Continue to Thrive? Trends, Explanations, and ResponsesSource : Carnegie Endowment for International Peace
Author : Steven Feldstein, Brian Kot
Date : March 14, 2023
The global spyware and digital forensics industry continues to grow despite public backlash following various surveillance scandals, many linked to NSO Group’s Pegasus program.
Europe vs. Spyware, a struggle for fundamental rights
Source : GMF
Author : Romain Bosc, Charles Martinet
Date : February 28, 2023
The alleged abuse of spyware by European government agencies constitutes a threat to civil and political rights.
QuaDream, l’éditeur du logiciel espion Reign va cesser ses activités
Source : L’usine Digitale
Author : Jérôme Martin
Date : April 18, 2023
QuaDream, the publisher of the spyware Reign will cease its activities
The Israeli company QuaDream had developed a spyware that used Zero-click attack to spy on users
‘I’ve never seen anything like this:’ One of China’s most popular apps has the ability to spy on its users, say experts
Source : CNN Business
Author : Nectar Gan, Yong Xiong, Juilana Liu
Date : April 3, 2023
This article explain how Pinduoduo’s malware was discovered and could be used to recover data from more than 750 million user. It also highlights the elements leading to the success of apps like Pinduoduo and other apps that might be involved in similar cases
Le service mobile devient une cyber-arme
Source : Services mobiles.fr
Author : N/A, Rédaction
Date : April 20, 2023
Enea urges EU PEGA committee to expand beyond spyware to combat mobile surveillance threats and signaling infrastructure exploitation
QuaDream spyware on the Rise, Used to track political opposition and journalists
Source : CPO Magazine
Author : Scott Ikeda
Date : April 14, 2023
This article focuses on the rise of Quadream and its clients, and provide information on the scope of the REIGN spyware.
Zero-click attacks and what you can do about them
Source : CompariTech
Author : Marc Dahan
Date : January 2, 2023
Zero-click attacks are nasty business. This post explains in detail what zero-click attacks are and what we can do to mitigate them. Keep reading to find out more.