A Leak Details Apple’s Secret Dirt on a Trusted Security Startup

A 500-page document reviewed by WIRED shows that Corellium engaged with several controversial companies, including spyware maker NSO Group.
Illustration of an eye looking through a loophole of code
Illustration: Jacqui VanLiew; Getty Images

Corellium, a cybersecurity startup that sells phone-virtualization software for catching security bugs, offered or sold its tools to controversial government spyware and hacking-tool makers in Israel, the United Arab Emirates, and Russia, and to a cybersecurity firm with potential ties to the Chinese government, according to a leaked document reviewed by WIRED that contains internal company communications.

The 507-page document, apparently prepared by Apple with the goal of using it in the company’s 2019 copyright lawsuit against Corellium, shows that the security firm, whose software lets users perform security analysis using virtual versions of Apple’s iOS and Google’s Android, has dealt with companies that have a track record of selling their tools to repressive regimes and countries with poor human rights records.

According to the leaked document, Corellium in 2019 offered a trial of its product to NSO Group, whose customers have for years been caught using its Pegasus spyware against dissidents, journalists, and human rights defenders. Similarly, Corellium’s sales staff offered to provide a quote to purchase its software to DarkMatter, a now-shuttered cybersecurity company with ties with the UAE government that hired several former US intelligence members who reportedly helped it spy on human rights activists and journalists

In correspondence with WIRED, Corellium says NSO Group and Dark Matter had access to “a limited time/limited functionality trial version of Corellium's software” and that both were later denied requests to purchase the full version following its vetting process. 

For years Corellium has painted itself as a crucial defender against software bugs on Android and iOS. But the leaked document shows that Corellium worked with several companies that use bugs and exploits to hack into cell phones, as opposed to helping Google and Apple patch vulnerabilities.

The document includes emails between Corellium staff and customers or potential customers, including NSO Group and DarkMatter. The document is not public and is being reported on for the first time here. 

“As one of our early beta requesters, we’re delighted to extend you and your team at NSO Group an exclusive invitation to try Corellium, the world’s first and only mobile device virtualization platform. We think you’ll really enjoy the advanced mobile security research tools we have to offer,” reads a March 26, 2019, email between Correllium’s support staff and an NSO Group employee. “Your free trial will last until April 9. Trial accounts are limited, but if you need more time, or if you prefer to start your trial at a different time, just let us know.”

In the case of DarkMatter, the document includes an email exchange between a company employee and a Corellium sales email address. The emails are not dated, but they apparently reference a 2019 training on how to use the platform that Corellium offered potential customers at the cybersecurity conference Black Hat.

“I was a trainer at Blackhat last year where you guys had provided us access to the portal for a few days and I was very impressed with the amount of features it had,” the DarkMatter employee wrote. “We are interested in purchasing it. Can you guys provide us a quote for all the available options that you have?”

“We’re so glad to hear that you enjoyed using Corellium at Blackhat, and we actually have DarkMatter on our list of teams to reach out to regarding availability,” an unnamed Corellium employee responded. “We’d be more than happy to provide you a quote with all the options checked.”

Also in 2019, according to the document, Corellium sold its software to Paragon, a little-known company that has since been reported to be a provider of government surveillance technology. Corellium also licensed its software to a company called Pwnzen Infotech, whose founders were part of Pangu Team, a well-known Chinese group of elite iOS and iPhone hackers. A Pwnzen sales representative told Reuters in 2019, when Pwnzen was already a Corellium customer, that the company helped hack the phone of a person suspected of “subverting the government” in China. 

“There are a number of ties between Pwnzen and the People’s Republic of China’s government that are cause for concern,” says Dakota Cary, a consultant at Krebs Stamos Group who has written several reports about cybersecurity in China. “Bolstering Pwnzen’s hacking capabilities likely occurred at the detriment to US security interests,” he added, explaining that the company’s improved capabilities could have provided the Chinese government with better tools to hack targets inside and outside of the country, including the US.

Also, as of today, Corellium counts Russian iPhone hacking company Elcomsoft as a customer. And in 2019, Corellium sold to Elcomsoft’s Israeli competitor Cellebrite, a firm that helps law enforcement unlock iPhones and access the data stored within. Cellebrite has reportedly sold its phone-hacking products to countries such as ChinaSaudi Arabia, and Bahrain, among others. 

Corellium did not dispute the legitimacy of the document, but it also did not respond to a series of questions about its contents. Instead, Corellium CEO Amanda Gorton shared a draft of a blog post in which the company says it offered trials to NSO Group and DarkMatter but denied that the two companies became customers. 

“We’ve had opportunities to profit from these bad actors and have chosen not to,” the blog post reads. It further explains that Corellium restricts sales of its cloud product to “fewer than sixty countries” and has a “block list” of organizations.

Corellium didn’t specify the 60 countries, nor did it answer specific questions about Paragon, Pwnzen, Cellebrite, or Elcomsoft. The company wrote in the blog post that as the sales process goes on, the vetting gets “more intensive.” According to the blog post, that means Corellium asks about the customer’s use case, consults with “trusted contacts in the security community, including contacts at various US government agencies,” and looks at the potential customer’s online presence and investigates its “ownership, corporate structure, and employees.”

Apple did not respond to a request for comment, nor did NSO Group, Cellebrite, or Pwnzen. XiaBo Chen, who identifies as the founder of Pwnzen on LinkedIn, did not respond to multiple requests for comment. After the controversy surrounding DarkMatter’s role in targeting activists and journalists, the company reportedly rebranded to Digital14 in 2019, then to CPX in 2021. Digital14 and CPX did not respond to requests for comment.

Idan Nurick, the CEO and cofounder at Paragon, says that “as a matter of principle, Paragon maintains the confidentiality of its clients, as well as technology providers, and the company does not disclose any information pertaining to these entities.”

Vladimir Katalov, the CEO, cofounder, and co-owner of Elcomsoft, confirmed that his company is a Corellium customer. 

‘Puzzling’ Claims

The leaked document, prepared in 2021, according to an included timeline, mirrors Apple’s arguments against Corellium, which it accused of violating its copyright and the Digital Millennium Copyright Act by re-creating a virtual version of iOS. While Apple has never publicly presented the evidence that’s contained in the document against Corellium, the tech giant accused Corellium in its lawsuit of helping researchers develop zero-day exploits and spyware for governments around the world, hinting that this was one of the main reasons it didn’t approve of Corellium’s practices, apart from alleged copyright infringement.

“Although Corellium paints itself as providing a research tool for those trying to discover security vulnerabilities and other flaws in Apple’s software, Corellium’s true goal is profiting off its blatant infringement,” Apple said in the complaint. “Far from assisting in fixing vulnerabilities, Corellium encourages its users to sell any discovered information on the open market to the highest bidder.”

Corellium has forcefully defended itself against Apple’s claims, saying it sells to “well-known and well-respected financial institutions, government agencies, and security researchers” who use their product for legitimate purposes.

In December 2020, when he dismissed Apple’s copyright infringement claims, US District Judge Rodney Smith, of the Southern District of Florida, sided with Corellium, writing in the order on the parties’ motions for summary judgment that “Apple’s position is puzzling, if not disingenuous.”

“As for Apple’s contention that Corellium sells its product indiscriminately, that statement is belied by the evidence in the record that the company has a vetting process in place (even if not perfect) and, in the past, has exercised its discretion to withhold the Corellium Product from those it suspects may use the product for nefarious purposes,” the judge wrote. “Having reviewed the evidence, the Court does not find a lack of good faith and fair dealing.”

The case took an unexpected turn in August 2021, when Apple and Corellium settled out of court. (The terms of the deal were confidential.) Then, days later, the tech giant filed an appeal, keeping its case against Corellium alive.

Bad Reputations

Even in 2019, NSO Group and DarkMatter had poor reputations in the world of cybersecurity. At the time, there had already been several examples of abuse of NSO Group’s Pegasus spyware, particularly against journalists in Mexico. Ronald Deibert, the director of the Citizen Lab, a digital rights watchdog housed at the University of Toronto's Munk School that has investigated companies like NSO Group for years, said in March 2019 that there was a “mountain of evidence that NSO Group’s surveillance technology is being abused by its clients, and the company is either unwilling or unable to perform the type of due diligence to prevent that from happening.” 

Both Apple and Microsoft have called NSO Group “21st-century mercenaries.”

Gorton has publicly denied selling Corellium’s products to DarkMatter and NSO Group and said Corellium does not sell to companies in the Middle East.

“We have definitely rejected customers who have approached us. I’m sure you can imagine DarkMatter, NSO Group have all reached out and we just politely declined, we don’t sell to that region,” she said during a November 2021 interview with the Decipher podcast

In the interview, she sold her company’s mission as positive and uncontroversial, saying that Corellium can be used to help researchers find bugs and report them to companies like Apple, something that companies like NSO Group, DarkMatter, Paragon, Pwnzen, Cellebrite, and Elcomsoft don’t do. Gorton added that hunting for security bugs is “kind of exactly what we wanted to see the platform used for.”

In the past, other Corellium executives and founders have repeatedly downplayed the possibility that bad actors could use its software. When asked whether he was worried that Corellium customers could use the product to find bugs and develop exploits that would then be used by governments, David Wang, one of the company’s cofounders, told Forbes in 2018 that the company would be “selective in who we choose to do business with.” 

Wang did not respond to WIRED’s request for comment. 

In the podcast interview, Gorton has also fielded questions about how Corellium vets its customers to avoid selling to bad actors and that the company takes this process “very seriously,” selling only in the Asia-Pacific, European Union, and North America regions, and researching companies they don’t recognize. “We err on the side of caution,” she said.

The leaked document includes a 2021 email from Steve Dyer, the vice president of sales and business development at Corellium, to Gorton. In the email, Dyer explains the process for vetting “current and future cloud customers” as they submit requests for trials online. Part of the process, Dyer wrote, is to check that the companies are not from countries sanctioned by the US government, such as North Korea, Sudan, Syria, and Russia. (While Elcomsoft is headquartered in Russia, the company is not sanctioned by the US government.) 

“China has been added to the list for auto-denied trials,” Dyer wrote. 

Last year, the US government added NSO Group to a federal blocklist, preventing any US companies and individuals from doing business with the spyware company. In correspondence with WIRED, Corellium said it voluntarily refused to sell its software to NSO Group “more than two years before the United States Department of Commerce placed NSO Group on its Entity List.”

Nevertheless, Corellium’s engagement with these controversial companies may change the cybersecurity community’s view that Apple’s lawsuit is a case of an entitled tech giant going after a scrappy startup with an innovative product that it doesn’t like. 

John Scott-Railton, a senior researcher at the Citizen Lab, says the Corellium sales department’s outreach to NSO Group and DarkMatter is “a potentially cynical act” given the nature of those companies. “At that point, Corellium and everyone else knew exactly who NSO Group was and what they would do with that kind of technology and the people that would inevitably be harmed,” Scott-Railton says. “It raises questions about their ethics, their judgment, or both.”

Zach Edwards, an independent privacy and security researcher, says that “sensitive technology cannot be haphazardly sold to any company, in any country in the world.”

“While Corellium is a reverse-engineering tool that doesn't intrinsically create risks through its sale, the core purpose of the tool is to reverse malware,” Edwards says. “And if you sell the product to malware developers in countries averse to Western interests, we should assume that this tool will be used to improve malware.”

A person who tried Corellium in the past, who asked to remain anonymous because they were not allowed to speak to the press, says that “given what’s happening in the world today, you shouldn’t be dealing with Russian companies,” such as Elcomsoft. 

Elcomsoft’s CEO Katalov says that “the decision to work with a company based in Russia is a personal choice.”

“Please rest assured that we still strive to provide the best software and services, and trying to keep good relationships with our customers all over the world,” he adds. “We will just keep doing our job, making the world a safer place and battling the crime.”

Adrian Sanabria, a cybersecurity veteran, says that it’s not surprising that “groups interested in creating iOS exploits would be using a platform designed for iOS security research.” 

“For me, the core takeaway is that Apple created the need for platforms like Corellium by not providing the tools, access, and transparency the market needs and desires,” he says.

Danger Zones

Some of the organizations and companies linked to Corellium in the document come from countries seen as controversial by most people in the cybersecurity community in the West, including Alex Stamos, who acted as an expert witness for Corellium in the lawsuit against Apple.  

“I personally don’t believe it would be ethical to sell exploits to Saudi Arabia,” Stamos, the director of Stanford University’s Internet Observatory, said during testimony he provided in the lawsuit between Apple and Corellium, which is quoted in the document.  

Stamos also expressed doubts about selling products to the United Arab Emirates, whose government had a close relationship with DarkMatter. “The UAE has been shown to use malware and exploits to spy on journalists and suppress local dissent,” Stamos said. 

In response to the document’s revelations, Stamos says he doesn’t think “it's appropriate for Apple to use copyright law to try to stop security research, and I don't think it's responsible for Corellium to offer their product to companies known to create malicious software for authoritarian states.”

The document also includes the logos of alleged Corellium customers and companies linked to it. As well as the companies previously mentioned, the document includes the logo of Azimuth, a provider of advanced hacking tools to the intelligence and law enforcement agencies of the so-called Five Eyes. Other logos include the Centre for Strategic Infocomm Technologies of Singapore, or CSIT, as well as the logo of an academic institution in Saudi Arabia called the Center of Excellence in Information Assurance (COEIA), housed at the King Saud University. 

CSIT executives did not respond to a request for comment. Other than the logo of the COEIA, the document also shows a 2019 email titled “invitation to Corellium” sent to the organization. The COEIA did not respond to a request for comment.

The legal battle between Apple and Corellium is ongoing. Late last month, the two companies appeared at a hearing before the Eleventh Circuit of the US Court of Appeals in Florida. Apple’s lawyer, Melissa Sherry, argued that Corellium’s product is just a slightly tweaked version of iOS that’s not transformative enough not to be fair use. Corellium attorney Kevin Russell said the product helps users “shed light on the functionality of the Apple operating system” and is, therefore, fair use.

“I don't think there's a genuine dispute that the purpose of the product is to explore the unprotected functionality of the system's software,” he said. “What people do with that knowledge is the subject of another statute.”