Zero-Click iPhone Exploit Used by NSO Group Also Abused by Second Surveillance Firm

A new report says that an NSO Group rival had also exploited an iPhone flaw that allowed its customers to remotely hack smartphones.

Last year, Apple sued Israeli surveillance firm NSO Group over its use of zero-click iPhone exploits to help bad actors spy on iPhone users. Since then, many political activists have been notified by Apple that they were specifically targeted by the group’s “ForcedEntry” attack.

ForcedEntry, the now-fixed flaw in Apple’s software exploited by NSO Group to break into iPhones in 2021, was simultaneously abused by a competing company, Reuters reports, citing “five people familiar with the matter.”

The sources confirmed the existence of Israeli spyware company QuaDream, a group that offered the ability to compromise iPhones in a manner similar to ForcedEntry, around the same timeframe that the NSO Group did.

In a written statement to Reuters, an NSO Group spokesperson said that the company “did not cooperate” with QuaDream. However, the spokesperson noted that “the cyber intelligence industry continues to grow rapidly globally.”

QuaDream’s main hacking software was an app called “Reign,” which the company in 2019 advertised had the ability to hack 50 smartphones per year for a fee of $2.2 million USD. “Real time call recordings” as well as camera and microphone activation were both available for an additional fee.

QuaDream and NSO Group both used the same ForcedEntry iPhone vulnerability, although they were independently developed. When Apple patched the flaw in iOS 14.8 to block NSO Group’s exploit, it also blocked QuaDream’s similar exploit.

“People want to believe they’re secure, and phone companies want you to believe they’re secure. What we’ve learned is, they’re not,” said Dave Aitel, a partner at Cordyceps Systems, a cybersecurity firm.