A new commercial spyware KingsPawn has been discovered to be developed by an Israel-based firm named QuaDream, known for its spyware Reign (a Pegasus-like threat). The spyware is being used to compromise the iPhones of high-risk individuals via a new zero-click exploit, ENDOFDAYS.

iPhone hack for dropping spyware

The attackers abused a zero-day flaw in iPhone devices running iOS 1.4 to 14.4.2, in attacks between January and November 2021. They leveraged backdated and invisible iCloud calendar invitations.
  • To begin the attack, iCloud calendar invitations with backdated timestamps are sent to targeted iOS devices. These invites get added to the victim’s calendar automatically, without any prompt or notification.
  • By sending a specifically crafted invitation, attackers can inject XML data into the victim’s device.
  • This further allows the execution of the ENDOFDAYS exploit without any interaction with the victim and the entire attack stays hidden from the victim’s eyes.

The compromised devices belonged to victims in Central Asia, Europe, the Middle East, North America, and Southeast Asia. Moreover, the victims mainly included journalists, NGO workers, and political opposition figures.

Additional Snippets about KingsPawn

  • QuaDream servers hosting KingsPawn are located in various countries, such as Bulgaria, Ghana, the Czech Republic, Uzbekistan, Israel, Mexico, Singapore, Romania, UAE, and Hungary.
  • Although the captured samples specifically targeted iOS devices, there are indications that some code could be used on Android devices.
  • Furthermore, KingsPawn has been designed to self-destruct itself. It cleans out any tracks from the victims' iPhones to avoid detection.

Conclusion

The recent campaign further establishes the fact that the industry for commercial spyware is growing as the number of buyers surges exponentially. iOS device users are suggested to enable Lockdown Mode which offers enhanced security for iOS devices. Additionally, experts recommend following best practices, such as enabling automatic software updates and using reliable anti-malware software to stay protected.
Cyware Publisher

Publisher

Cyware