Insidious Attack. Hackers attack iPhones via calendar app

A new espionage campaign by a spyware company has been uncovered. It is reminiscent of previous targeted attacks on iPhone users.

Spy software was able to infect iPhones via invisible calendar invitations. The attacks that have now been uncovered took place between January and November 2021 and used a then-unknown vulnerability in iOS 14, such as Microsoft and the human rights institution «Citizen Lab» to report.

An attack began with an invitation to an event that was earlier than the send date. That’s why it was automatically entered into the recipient’s iOS calendar without them noticing. The infection then ran in the background.

Unrestricted access to the iPhone

This gave the attackers almost unrestricted access to the iPhone. They might read out data, listen in on phone calls and activate the camera and microphone unnoticed. The spy software also had a self-destruct mode that was supposed to make detection more difficult.

Nevertheless, Microsoft and Citizen Lab managed to identify those responsible for the spyware. This is the Israeli company QuaDreams, which sold the software called “Reign” to various governments, which in turn mainly targeted journalists and members of the opposition.

New attacks probably in planning

This business model is almost identical to that of the Israeli spy company NSO Group, which compromised iOS and WhatsApp for authoritarian states and was subject to US sanctions for it. In fact, two former NSO employees are among the founders of QuaDream.

There are also large overlaps in terms of customers. QuaDream was used in Hungary, Ghana, Mexico, Israel, the United Arab Emirates and Uzbekistan, among others.

Apple has now closed the vulnerability, so this attack method can no longer be used. However, Microsoft suspects that QuaDream is exploiting previously unknown security gaps for new attacks.