Google warns iOS and Android users of new spyware, identifies victims in Italy and Kazakhstan
Google’s Threat Analysis Group (TAG) has found that iOS and Android mobile users from Italy and Kazakhstan have been targeted by new spyware, which TAG attributes to Italian developer RCS Lab.
“Today, alongside Google’s Project Zero, we are detailing capabilities we attribute to RCS Lab, an Italian vendor that uses a combination of tactics, including atypical drive-by downloads as initial infection vectors, to target mobile users on both iOS and Android,” Benoit Stevens and Clement Lecigne said in TAG’s report last June 23.
Just last week, the Android spyware “Hermit” had also been attributed to RCS Lab by Lookout Threat Lab researchers, who claimed that the spyware had been utilized during a 2019 anti-corruption probe. The researchers also found spyware victims from northeastern Syria.
However, in a report by The Guardian, RCS Lab condemned the abuse of its products and said that its employees “are not exposed, nor participate in any activities conducted by the relevant customers.”
TAG, which is actively tracking 30 spyware vendors selling surveillance capabilities, warned internet users about the threat of the thriving commercial spyware industry.
“These vendors are enabling the proliferation of dangerous hacking tools and arming governments that would not be able to develop these capabilities in-house,” said Google, adding that surveillance technologies are often utilized by governments for motives opposing democratic values and threatening users' trust.
TAG’s campaign overview revealed that iOS and Android users could be victimized with just one click. Attackers could disable mobile data connectivity through a victim’s ISP (internet service provider) to trick users into clicking an SMS-sent link for cell service restoration. Meanwhile, if ISP is not possible, a fake messaging application could be installed for supposed account recovery.
The malicious app distribution could successfully target iOS users through RCS Lab’s registration with “Apple's Enterprise Developer Program” through 3-1 Mobile SRL, a company with a certificate allowing actors to install software through a third-party source.
As for Android users, TAG said that a malicious APK (Android Package Kit) disguised as a legitimate Samsung application “does not contain any exploits” but is believed to have a command-and-control function that downloads and executes exploits remotely.
“This campaign is a good reminder that attackers do not always use exploits to achieve the permissions they need. Basic infection vectors and drive-by downloads still work and can be very efficient with the help from local ISPs,” Google stated.
To protect users, Google publicly disclosed information to promote awareness and pushed for a “comprehensive approach.” They also implemented changes in Google Play Protect, disabled Firebase projects, and detailed indicators of compromise in their report.