Microsoft said it found the software during efforts with partners to collect intelligence on sophisticated adversaries. Citizen Lab, based at the University of Toronto, said it uncovered five victims. The system worked in part by sending malicious calendar invites that would not be seen by the targets.
Some information about QuaDream previously came to light after a marketing brochure was discovered. Media outlets have since identified customers, including Saudi Arabia, Mexico and Singapore.
Citizen Lab said it now has located QuaDream servers in Bulgaria, Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, United Arab Emirates (UAE) and Uzbekistan. It noted that some of those countries, including Mexico and UAE, have widespread human rights issues and have been accused of deploying spyware on peaceful domestic opposition in the past.
Citizen Lab declined to name the most recent victims, saying that those people would come forward when they are ready. It is unclear whether the infections led to arrests or otherconsequences.
Like its better-known rival, NSO Group, maker of the similar Pegasus spyware, QuaDream sells its eavesdropping to government agencies. Unlike NSO, it has almost no visible corporate presence and may avoid the need for export licenses by dealing through a reseller based outside Israel, most notably the Cypriot firm InReach. NSO needs clearance from the Israeli ministry of defense.
The new research underscores how the high-end spyware industry is much bigger than one notorious company and more deeply enmeshed with governments, including those who say they only use such tools against terrorists or archcriminals.
QuaDream was established in 2016 by former NSO employees, and its investors and executive ranks have changed in the past few years. The person Citizen Lab identified as the most recent chief executive, Avi Rabinowitz, did not return a message seeking comment.
In 2021, QuaDream and NSO were accused of using the same iPhone software flaws to install spyware that could capture data, record calls and activate the camera surreptitiously, without any user interaction. Apple sent out warnings to affected users, including some of the ones now identified as QuaDream targets, and patched the flaws.
Through a spokesperson, Apple said it had no indication that the same software exploit has been used since then. Citizen Lab said that QuaDream is likely to have substituted a new exploit into its program that has not yet been detected.
U.S. agencies have experimented with programs like QuaDream’s in the past, specifically NSO’s Pegasus. The Commerce Department has banned business dealings with NSO and another spyware maker, but done nothing about QuaDream.
A broader two-week-old executive order from President Biden generally bars federal agencies from wielding them if the maker puts human rights at risk. The White House did not respond to an email seeking comment on the new QuaDream findings.
Private companies, including Microsoft, Meta and Apple, have also been doing more to disrupt spyware operations and publicizing what they find. Meta’s Facebook said last year it disabled 250 accounts that QuaDream developers were apparently using to test their ability to extract messages and videos from mobile devices.
“There is growing awareness of the existence of cyber mercenaries and an increased and welcome focus by policymakers on both sides of the Atlantic on the issues related to spyware,” said Amy Hogan-Burney, Microsoft associate general counsel for cybersecurity. “At the same time those debates have only touched the tip of the proverbial iceberg.”