Karma was used by an offensive cyber operations unit in Abu Dhabi comprised of Emirati security officials and former American intelligence operatives working as contractors for the UAE’s intelligence services. The existence of Karma and of the hacking unit, code named Project Raven, haven’t been previously reported. Raven’s activities are detailed in a separate story published by Reuters today.
The tool could not intercept phone calls; however, it was used to obtain photos, emails, text messages, location information, and saved passwords, which could be used for other intrusions.
Lori Stroud, a former Raven operative who also previously worked at the U.S. National Security Agency, described the excitement when Karma was introduced. “It was like, ‘We have this great new exploit that we just bought. Get us a huge list of targets that have iPhones now,’” she said. “It was like Christmas.”
It appears that Karma functioned by exploiting a vulnerability in Apple's iMessage system and it worked even if the target didn't use iMessage. To compromise a device, Karma needed only send the device a text message. No action on the part of the recipient was needed.
It's not clear if Karma remains in use. Former operatives tell Reuters that the tool became less effective by the end of 2017 due to security updates Apple made to the iPhone's software.
More details in the full report linked below...