The spyware, named “EndofDays”, was used in 2021 and can record audio from phone calls, take pictures in secret, and search through the device for files, among other things. Additionally, the spyware comes with a self-destruct function that can erase traces of itself. Microsoft and Citizen Lab, a watchdog group, have discovered that an Israeli surveillance company, QuaDream, has infected iPhones using a “zero-click” exploit.
A Citizen Lab researcher, noted that the malicious calendar invites were for events logged in the past, which prevented iCloud from automatically notifying users about the invites. However, the researchers were unable to retrieve any XML data from the ICS files. The self-erasing capabilities of the spyware make it dimcult to comprehend the full extent of the attack.
Citizen Lab’s investigation uncovered evidence that QuaDream likely used “invisible iCloud calendar invitations sent from the spyware’s operator to victims” to deliver the attack.
The spyware’s samples can delete events from the iOS calendar linked to a particular email address. Citizen Lab also examined iPhones belonging to two victims of the spyware that showed tampering traces through calendar invite ICS files. The attackers might have used emails containing malicious calendar invites to deliver the spyware.
