The Microsoft Threat Intelligence (MTI) team, alongside Citizen Lab, discovered an iPhone spyware that took advantage of an iOS 14 zero-day exploit. The alleged iOS exploit called "ENDOFDAYS" used invisible iCloud calendar invitations to wreck havoc on victims' iPhones.
The spyware has a name, too. It's called "KingsPawn," and cybersecurity researchers found that at least five high-profile figures were victims of the malicious monitoring software, including journalists, political-opposition figures, and NGO workers.
Who is behind KingsPawn?
MTI and Citizen Lab concluded with "high confidence" that QuaDream, an Israel-based company that specializes in developing malicious software for government clients, is the perpetrator. Governments allegedly hire QuaDream for "digital offensive technology" to keep tabs on their political opponents.
Interestingly, in a 2022 report called "Threat Report on the Surveillance-for-Hire Industry," Meta detected strange activity on their platforms in which they spotted about 250 accounts being used to test QuaDream's iOS and Android spyware.
"QuaDream operates with a minimal public presence, lacking a website, extensive media coverage, or social media presence. QuaDream employees have reportedly been instructed to refrain from mentioning their employer on social media," Citizen Lab said.
What does KingsPawn do?
KingsPawn is a nasty little bugger that takes advantage of a zero-day exploit that affected iOS versions 14.4 and 14.4.2. As mentioned, it used undetectable iCloud calendar invites to deploy spyware.
"On iOS 14, any iCloud calendar invitation with a backdated time received by the phone is automatically processed and added to the user’s calendar with no user-facing prompt or notification," Citizen Lab said.
What can KingsPawn do? Check out its functions below:
- Record audio from phone calls
- Record audio from microphone
- Take pictures using device's front and back cameras
- Exfiltrate and remove keychain items
- Generate iCloud 2FA passwords
- Search through device files & databases
- Track victims' location
To make matters worse, this spyware comes with a self-destruct feature that can erase its own traces on victims' devices.
Why didn't Apple warn us sooner?
According to Citizen Labs, Apple reportedly notified the targets who were affected by QuaDream's cybercriminal activities in a "round of notifications" issued on Nov. 23, 2021. The cybersecurity researchers also notified Apple about this spyware attack at multiple points during its investigation.
As such, Apple knew about this exploit as of late 2021, but it does not appear that the Cupertino-based tech giant publicly informed iPhone users about this gnarly zero-day security issue. As Laptop Mag Assistant Managing Editor Sean highlighted, Apple unsigned iOS 14.4.2 suspiciously quick (preventing iOS users from reverting to this version), suggesting that it harbored some serious security concerns.
It's about time that Apple, Samsung, Google, and other big-name smartphone makers stop putting their image-conscious fears ahead of users' security and privacy. Bugs and exploits happen — just be transparent about them.
