Israeli Firm Using Spyware to Infect iPhones Via Calendar Invites
An Israeli surveillance company has been found infecting iPhones with spyware, possibly by exploiting Apple’s iCloud calendar invitation system.
The findings come from Microsoft and watchdog group Citizen Lab, which investigated spyware samples that allegedly come from Israel-based QuaDream. The spyware, dubbed “EndofDays,” was used back in 2021, and leveraged a “zero-click” exploit—or an attack that can hijack an iPhone without requiring the user to click on anything.
Once it infects, EndofDays can record audio from phone calls, secretly take pictures, and search through the device for files, among other capabilities, including a self-destruct function that can wipe traces of the spyware.
The self-erasing abilities make it difficult to understand the full scope of the attack. But in its report(Opens in a new window), Citizen Lab uncovered evidence that QuaDream was likely using “invisible iCloud calendar invitations sent from the spyware’s operator to victims” in order to deliver the attack.
The spyware samples themselves contain an ability to delete events from the iOS calendar associated with a specific email address. Citizen Lab also examined the iPhones belonging to two victims of the spyware that showed traces of tampering through calendar invite ICS files.
“We suspect that the attacker’s use of closing and opening CDATA tags in the .ics could potentially facilitate the inclusion of additional XML data that would be processed by the user’s phone, in order to trigger some behaviour desired by the attacker,” Citizen Lab said.
Hence, it’s possible the spyware arrived through emails carrying the malicious calendar invites. Citizen Lab researcher Bill Marczak also notes the malicious calendar invites were for
Read more on pcmag.com
