Karma reportedly didn't work on Android devices, but was deemed especially powerful as it could plant malware on an iPhone without requiring an action from the target. Three former operatives said the tool relied partially on a flaw in iMessage. All it supposedly took to trigger the breach was for a text message to be sent to the target device using the cyber-tool. Both Apple and the UAE government declined to comment on the report.
In 2016 and 2017, the hacking unit composed of ex-American intelligence operatives working as contractors for the UAE's intelligence services set up camp in Abu Dhabi. From there, they harnessed the tool to acquire photos, emails, texts and location data from targets' iPhones. Karma also reportedly helped the team to scoop saved passwords for other breaches, according to several former operatives (who were not Emirati citizens) and program documents reviewed by Reuters.
In 2017, the operatives allegedly used Karma to hack an iPhone used by Qatar's Emir Sheikh Tamim bin Hamad al-Thani, as well as the devices of Turkey's former Deputy Prime Minister Mehmet Şimşek, and Oman's head of foreign affairs, Yusuf bin Alawi bin Abdullah. Ultimately, the tool was apparently used to gain entry into the accounts of hundreds of prominent Middle Eastern political figures and activists across the region and in Europe. However, there's no evidence (as of yet) to suggest that compromising information was leaked. The Washington embassies of Qatar, Oman and Turkey did not respond to the report. Nor could Reuters confirm the origin of Karma, though it said it was purchased from a vendor outside the UAE.
In a separate Reuters exposé, Lori Stroud (a former NSA staffer who later joined Project Raven) said Karma was also used to spy on American citizens. Whereas US contractors being hired for assistance with espionage remains a grey area, hacking or stealing info from America is considered illegal. Stroud told of how she'd been recruited by a Maryland cybersecurity contractor named CyberPoint only to wind up in the UAE in 2016. The small Middle-Eastern nation, and ally of Saudi Arabia, brought on Stroud (and other US contractors) to help launch its cyber-surveillance program, which was overseen by local cybersecurity firm DarkMatter.
By the end of 2017, Karma had apparently become far less effective due to Apple's iOS security updates. But the timing of this report couldn't be worse for Apple, arriving as it does in the wake of its FaceTime bug that let users eavesdrop on calls -- and in light of CEO Tim Cook's appeals for increased privacy and GDPR-style regulations in the US).
Apple has infamously resisted requests from law enforcement to create a backdoor piece of software that could bypass the security protections built into iOS. Faced with the blockade, the FBI turned to a third-party to crack the iPhone 5c belonging to one of the San Bernardino attackers back in 2016. That in turn led to a lucrative market springing up for zero-day iPhone exploits.