New spyware infected iPhones in 10 countries, report claims

12 Apr 2023

Image: © H_Ko/

In a similar fashion to Pegasus, this new spyware has allegedly been used to target journalists and political figures, though the victims have not been identified.

A new investigation claims an Israel-based spyware has been used against individuals in at least 10 countries across Europe, the Middle East, Asia and North America.

Reports by non-profit Citizen Lab and Microsoft claim an Israeli company called QuaDream creates “advanced digital offensive technology” for government clients.

The company is reportedly known for its spyware – marketed as Reign – which utilises zero-click exploits to hack into targeted devices without the victim’s knowledge.

In its report, Citizen Lab noted that this bears a similarity to Pegasus, the spyware that made headlines in 2021 when an investigation claimed it was used to target journalists, activists and government officials.

The reports suggest Reign spyware mainly targets iOS devices. Pegasus also exploited vulnerabilities in Apple products, which prompted Apple to file a lawsuit against its creator in a bid to “hold it accountable for the surveillance and targeting of Apple users”.

In its own report, Microsoft describes the Reign spyware as a “suite of exploits, malware, and infrastructure designed to exfiltrate data from mobile devices”.

The tech giant analysed a strain of malware and assessed “with high confidence” that it is connected to the company QuaDream, along with a “medium confidence” it is connected to the Reign spyware.

Microsoft said these captured malware samples targeted iOS devices, but there were “indications” that some of the code could be used on Android devices.

The malware appeared to target iOS 14 specifically, but Microsoft said it’s “highly likely” that the malware has since been updated.

Advanced spying capabilities

Citizen Lab claims it was able to uncover five victims of the spyware, which include journalists, political opposition figures and an NGO worker.

The report claims the spyware can perform various functions on infected devices such as recording calls, taking pictures, searching for files and tracking the device’s location.

“We found that the spyware also contains a self-destruct feature that cleans up various traces left behind by the spyware itself,” the Citizen Lab report said. “Our analysis of the self-destruct feature revealed a process name used by the spyware, which we discovered on victim devices.”

Using a network indicator, Citizen Lab identified more than 600 servers and 200 domain names that it believes “with high confidence” were linked with the QuaDream spyware between late 2021 and early 2023.

Through this investigation, the non-profit believes QuaDream systems have operated in Bulgaria, the Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, the United Arab Emirates and Uzbekistan.

In a report last December, Meta said it took down roughly 250 accounts on Facebook and Instagram that were allegedly linked to the QuaDream company.

“This network engaged in a similar testing activity between their own fake accounts, targeting Android and iOS devices in what we assess to be an attempt to test capabilities to exfiltrate various types of data including messages, images, video and audio files, and geolocation,” Meta said.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic