Quadream's REIGN spyware said to have used same exploit as NSO Group's Pegasus, before being patched in September; clients also include Saudi Arabia