News > Phones A Second Surveillance Firm Was Caught Hacking iPhones Like NSO Group, QuaDream was installing spyware using zero-click vulnerability By Rob Rich Rob Rich Twitter News Reporter College for Creative Studies Rob is a freelance tech reporter with experience writing for a variety of outlets, including IGN, Unwinnable, 148Apps, Gamezebo, Pocket Gamer, Fanbolt, Zam, and more. lifewire's editorial guidelines Published on February 3, 2022 11:51AM EST Fact checked by Jerri Ledford Fact checked by Jerri Ledford Western Kentucky University Gulf Coast Community College Jerri L. Ledford has been writing, editing, and fact-checking tech stories since 1994. Her work has appeared in Computerworld, PC Magazine, Information Today, and many others. lifewire's fact checking process Tweet Share Email Tweet Share Email Phones Mobile Phones Internet & Security Computers & Tablets Smart Life Home Theater & Entertainment Software & Apps Social Media Streaming Gaming In addition to NSO Group, a second surveillance firm was found to have been using the iPhone's zero-click exploit to spy on users. According to Reuters, the QuaDream firm was similarly using the zero-click exploit to spy on its targets without the need to trick them into downloading or clicking on anything. Sources allege that QuaDream began using this ForcedEntry exploit in iMessage that was first discovered in September 2021. Apple was quick to patch the exploit within that same month. Jeffrey Coolidge / Getty Images QuaDream's flagship spyware, dubbed REIGN, worked much like NSO Group's Pegasus spyware by installing itself on target devices without warning or need for user interaction. Once in place, it began gathering contact info, emails, messages from various messaging apps, and photos. According to a brochure acquired by Reuters, REIGN also offered call recording and camera/microphone activation. QuaDream is suspected of using the same exploit as NSO Group because, according to sources, both spyware programs took advantage of similar vulnerabilities. They both also used a similar approach to installing malicious software, and Apple's patch managed to stop both of them in their tracks. While the zero-click vulnerability in iMessage has been addressed, effectively cutting off both Pegasus and REIGN, it's not a permanent solution. As Reuters points out, smartphones are not (and will probably never be) completely secure from every conceivable form of attack. Was this page helpful? Thanks for letting us know! Get the Latest Tech News Delivered Every Day Email Address Sign up There was an error. Please try again. You're in! Thanks for signing up. There was an error. Please try again. Thank you for signing up! Tell us why! Other Not enough details Hard to understand Submit