Pegasus-like spyware Reign was used in targeted iPhone attacks

Apr 12, 2023

Security experts at the University of Toronto's Citizen Lab have spilled the beans on a Pegasus-like spyware called Reign. A report published by the researchers reveals that the exploit was used in targeted iPhone attacks.

The Pegasus spyware made by the NSO Group is probably the most infamous one of the lot. The mercenary malware was sold to various Governments around the World, and was used to spy on high profile targets, using a zero-day exploit that was termed as ForcedEntry.

Citizen Lab is often credited for finding and reporting bugs in iOS and macOS to Apple. Microsoft Threat Intelligence obtained some samples of the Reign spyware, which they called KingsPawn. You can read their analysis of the spyware here. Microsoft Threat Intelligence shared 2 samples of the Reign spyware with the security researches at Citizen Lab, who dissected them to analyze the malware's code. They have published their findings in a blog article on their website.

What is the Reign spyware?

Reign was created by QuaDream, an Israeli company that was founded by a former military official, and allegedly has ties with intelligence agencies. This isn't the first time we are hearing about it, the spyware came to light in February 2022.

Meta released a Threat Report in December 2022, which mentioned that it detected some suspicious activity on about 250 accounts on its platforms, that were attributed to QuaDream. It was believed that the accounts were being used to test the spyware's capabilities on iOS and Android operating systems.

The Reign spyware seems to have been used in North America, Central Asia, Southeast Asia, Europe, and the Middle East. The report mentions that it was sold to government clients in Singapore, Saudi Arabia, Mexico, and Ghana. QuaDream had also offered its services to Indonesia and Morocco. Victims of the attack include journalists, political opposition figures, and an NGO worker. Further investigations revealed that QuaDream has servers operating from Bulgaria, Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, United Arab Emirates (UAE), and Uzbekistan.

Interestingly, QuaDream is involved in a legal feud with InReach, a Cyprus based firm, which was set up in 2017, for promoting the former's products outside its home Country. InReach however failed to transfer the revenues from sales of QuaDream's products per an agreement, which resulted in the latter freezing InReach's assets. QuaDream accused that InReach was funneling payments from customers to a secret bank account in Switzerland. The feud had a ripple effect in that it revealed several individuals from both companies had prior connections with a 3rd surveillance company called Verint, and other Israeli intelligence agencies.

How the Reign spyware was used for targeted iPhone attacks

Citizen Lab says that the 1st sample of Reign acted as a downloader that was used to extract information about the victim's device such as the iOS version, battery status, Wi-Fi SSID, Cellular carrier, phone number, SIM card data, etc.  It could also download and execute a secondary payload. The 2nd sample was the actual mercenary spyware payload.

The researchers discovered that threat attackers used a zero-click exploit in iOS 14, specifically iOS 14.4 and 14.4.2, to deploy Reign. The exploit, which has been termed as ENDOFDAYS, uses invisible iCloud calendar invitations sent from the attacker to a victim. The .ICS file had invitations to 2 overlapping events that were backdated. iOS 14 processed backdated calendar invitations automatically without notifying the user, i.e. no interaction was required. This method was exploited by the ENDOFDAYS attack as a zero-click exploit to deploy the spyware stealthily on the victim's device.

QuaDream Reign spyware capabilitiesAmong other things, the spyware was capable of tracking the device's location, record audio from the microphone, record audio from calls, take pictures through the front or rear camera, extract Keychain data, generate iCloud 2FA passwords, search the files on the phone, etc. It could even clean its traces, leaving behind no remnants.

Image courtesy: Citizen Lab

A reminder about Lockdown Mode in iOS and macOS

State-sponsored attacks usually target people such as journalists, activists, or other important civilians, whom a Government might view as a threat. In case you aren't aware, last year, Apple introduced a feature called Lockdown Mode in iOS 16, iPadOS 16 and macOS Ventura 13. The option, when enabled, shuts off various attack vectors that are usually exploited by hackers. Lockdown mode was specifically designed to protect users against targeted attacks, so it could be useful for people who may be vulnerable to such threats.

Pegasus-like spyware Reign was used in targeted iPhone attacks
Article Name
Pegasus-like spyware Reign was used in targeted iPhone attacks
More details have emerged about the Reign spyware that was used in targeted iPhone attacks.
Ghacks Technology News

Tutorials & Tips

Previous Post: «
Next Post: «


  1. Anonymous said on April 24, 2023 at 2:10 am

    What’s with Israel being so often at the vangard of surveillance and repression tools ? (and no, this is not meant as a compliment)

    “Take pictures using front & back cameras”

    Don’t forget to put opaque tape on those when not in use, by the way.

    “State-sponsored attacks usually target people such as journalists, activists, or other important civilians, whom a Government might view as a threat.”

    That’s not true. Targets of such surveillance are often ordinary people too.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.