a defect in AppleSoftware exploited by Israeli surveillance firm NSO Group to break into iPhones in 2021 was simultaneously abused by a competing company, according to five people familiar with the matter.
QuaDream, the sources said, is a smaller, low-profile Israeli company that also develops smartphone hacking tools aimed at government clients.
The two rival companies gained the same ability to remotely access iPhones last year, according to the five sources, meaning both companies could compromise Apple phones without the owner needing to open a malicious link. That two companies used the same sophisticated hacking technique, known as “zero click,” shows that phones are more vulnerable to powerful digital espionage tools than the industry will admit, an expert has said.
“People want to believe it’s safe, and phone companies want you to believe it’s safe. What we have learned is that they are not,” said Dave Aitel, a partner at Cordyceps Systems, a cybersecurity firm.
Experts analyzing intrusions designed by NSO Group and QuaDream since last year believe the two companies used very similar software vulnerabilities, known as ForcedEntry, to hijack iPhones.
An exploit is computer code designed to take advantage of a set of specific software vulnerabilities, giving a hacker unauthorized access to data.
Analysts believed the NSO and QuaDream exploits were similar because they exploited many of the same vulnerabilities hidden deep within Apple’s instant messaging platform and used a comparable approach to install malicious software on targeted devices, according to three of the sources.
Bill Marczak, a security researcher at digital watchdog Citizen Lab who has been studying both companies’ hacking tools, told Reuters that QuaDream’s zero-click capability seemed “on par” with NSO’s.
Reuters made repeated attempts to reach QuaDream for comment, sending messages to executives and business partners. A Reuters reporter visited QuaDream’s office in Ramat Gan, a suburb of Tel Aviv, last week, but no one answered the door. Israeli lawyer Vibeke Dank, whose email was listed on QuaDream’s corporate registration form, also did not return repeated messages.
An Apple spokesperson declined to comment on QuaDream or say what action they planned to take regarding the company.
ForcedEntry is seen as “one of the most technically sophisticated exploits” ever caught by security researchers.
So similar were the two versions of ForcedEntry that when Apple fixed the underlying flaws in September 2021, both the NSO and QuaDream spyware were rendered ineffective, according to two people familiar with the matter.
In a written statement, an NSO spokeswoman said the company “did not cooperate” with QuaDream but “the cyber intelligence industry continues to grow rapidly globally.”
In its lawsuit, Apple said it “continually and successfully prevents a variety of hacking attempts.” NSO has denied any wrongdoing.
Spyware companies have long argued that they sell high-powered technology to help governments thwart national security threats. But human rights groups and journalists have repeatedly documented the use of spyware to target civil society, undermine political opposition and interfere in elections.
Apple notified thousands of ForcedEntry targets in November, making elected officials, journalists, and human rights workers around the world aware that they had been placed under surveillance.
In Uganda, for example, NSO’s ForcedEntry was used to spy on US diplomats, Reuters reported.
In addition to Apple’s lawsuit, Meta’s WhatsApp is also litigating the alleged abuse of its platform. In November, the US Department of Commerce placed NSO on a trade blacklist for human rights issues.
Unlike NSO, QuaDream has kept a lower profile despite serving some of the same government clients. The company does not have a website promoting its business and employees have been told to keep any references to their employer off social media, according to a person familiar with the company.
QuaDream was founded in 2016 by Ilan Dabelstein, a former Israeli military officer, and two former NSO employees, Guy Geva and Nimrod Reznik, according to Israeli corporate records and two people familiar with the business. Reuters was unable to reach the three executives for comment.
like NSOs Pegasus spyware, QuaDream’s flagship product, called REIGN, could take control of a smartphone, collecting instant messages from services like WhatsApp, Telegram and Signal, as well as emails, photos, texts and contacts, according to two product brochures from 2019 and 2020 which were reviewed by Reuters.
REIGN’s “Premium Collection” capabilities included “real-time call recordings,” “camera activation: front and rear,” and “microphone activation,” one brochure said.
Prices seemed to vary. A QuaDream system, which would have given customers the ability to launch 50 smartphone thefts per year, was being offered for $2.2 million not including maintenance costs, according to the 2019 brochure. Two people familiar with sales of the software said that REIGN’s price was typically higher.
Over the years, QuaDream and NSO Group have employed some of the same engineering talent, according to three people familiar with the matter. Two of those sources said the companies were uncooperative in their iPhone hacks, devising their own ways to exploit the vulnerabilities.
Several of QuaDream’s buyers have also overlapped with those of NSO, four of the sources said, including Saudi Arabia and Mexico, who have been accused of misusing spy software to target political opponents. .
One of QuaDream’s early customers was the Singapore government, two of the sources said, and documentation reviewed by Reuters shows the company’s surveillance technology was also introduced to the Indonesian government. Reuters was unable to determine whether Indonesia became a client.
Mexican, Singaporean, Indonesian and Saudi officials did not respond to messages seeking comment on QuaDream.