Raphael Satter, Christopher Bing

WASHINGTON (Reuters – Five individuals familiar with this matter say that an Apple flaw (NASDAQ) was used by NSO Group, Israeli surveillance company to gain access to iPhones in 2021.

Sources said QuaDream is an Israeli company that’s smaller in stature and also makes smartphone hacking tools for government clients.

According to the five sources who spoke out, rival companies had access to iPhones remotely last year. That meant both could hack Apple phones without the need for the owners to create malicious links. That two firms employed the same sophisticated hacking technique – known as a “zero-click” – shows that phones are more vulnerable to powerful digital spying tools than the industry will admit, one expert said.

“People believe that they are safe, and the phone companies believe so. We’ve found that they are not,” stated Dave Aitel of Cordyceps Systems.  

QuaDream and NSO Group have been analyzing intruders since 2012, concluding that the companies used similar software exploits (known as ForcedEntry) to steal iPhones.

A vulnerability is a piece of code that allows a hacker to gain unauthorised access to data.

According to three sources, the analysts thought NSO’s and QuaDream’s exploits were identical because they used many of the same vulnerabilities in Apple’s instant messaging platform. They also used similar approaches to install malicious software onto targeted devices.

Bill Marczak is a Citizen Lab security researcher who studied both companies’ hacking tools and told Reuters QuaDream’s zero click capability was “on par” to NSO’s.

Reuters repeatedly attempted to contact QuaDream to get comment. They sent messages to business associates and executives. A Reuters journalist last week visited QuaDream’s office, in the Tel Aviv suburb of Ramat Gan, but no one answered the door. Vibeke Dank an Israeli lawyer, whose email was on QuaDream corporate registration forms, did not answer multiple messages.

  An Apple spokesman declined to comment on QuaDream or say what if any action they planned to take with regard to the company.

ForcedEntry was deemed “one of most technically complex exploits” by security researchers.

So similar were the two versions of ForcedEntry that when Apple fixed the underlying flaws in September 2021 it rendered both NSO and QuaDream’s spy software ineffective, according to two people familiar with the matter.

A spokeswoman for the NSO stated that QuaDream did not collaborate with her company, but “the global cyber intelligence market continues to grow quickly.”

NSO Group sued Apple in November over ForcedEntry, alleging that NSO violated Apple’s terms of service agreement. This case is still early in the process.

Apple stated in the lawsuit that it has “continuously and succesfully fended off many hacking attempts.” NSO denies any wrongdoing.

Spyware firms have claimed for years that they are selling high-powered technology in order to assist governments with thwarting national security threats. Journalists and human rights organizations have documented repeatedly the misuse of spyware to target civil society and undermine opposition and interfere with elections.

Apple notified thousands of ForcedEntry targets by November. This made journalists and elected officials around the globe aware that they were under surveillance.

Reuters said that NSO ForcedEntry, a spying tool used in Uganda to monitor U.S. diplomats was used for this purpose.

Meta’s WhatsApp, in addition to the Apple suit, is also suing over the alleged misuse of its platform. NSO was placed by the U.S. Commerce Department on November 1st due to concerns about human rights.

QuaDream, unlike NSO has maintained a low profile even though it serves many of the same clients. A person who knows the company said that QuaDream has not created a website to promote its business, and employees were instructed to refrain from mentioning their employer on social media.

REIGN

QuaDream Inc. was started in 2016 at the request of Ilan Dabelstein (an ex-military official) and Guy Geva and Nimrod Znik (ex NSO employees), according Israeli corporate records. Reuters was unable to reach these three individuals for comment.

QuaDream’s most popular product, REIGN, can take control of a smartphone and collect instant messages from various services like WhatsApp, Telegram, Signal and Signal. These texts as well emails and photos could also be accessed by the product’s main product.

REIGN’s “Premium Collection” capabilities included the “real time call recordings”, “camera activation – front and back” and “microphone activation”, one brochure said.

The prices were variable. The 2019 brochure stated that one QuaDream would give customers the capability to launch 50 smartphones break-ins per annum. The price of REIGN is typically more expensive, according to two sources familiar with its sales.

Three people who are familiar with this matter claim that QuaDream as well NSO Group used some of the exact same engineering talents over the years. According to two of the sources, they did not work together on hacking iPhones and each came up with its own methods of exploiting vulnerabilities.

QuaDream has had a number of buyers who overlap with NSOs. Four sources claimed that this includes Mexico and Saudi Arabia, both of which have been charged with using spy software to attack political opponents.

QuaDream had its beginning clients in Singapore, according to two sources. Reuters reviewed documentation that shows QuaDream pitched surveillance technology to the Indonesian government. Reuters could not determine if Indonesia was a client.

Officials from Saudi Arabia, Singapore, Indonesia, and Mexico did not respond to messages seeking comments on QuaDream.