Google recently revealed in a new blog post that it has been monitoring the activities of commercial spyware vendors, including Italy-based RCS Lab, which targeted mobile users in Italy and Kazakhstan.
The findings were discovered by Google’s Threat Analysis Group, or TAG, which has tracked more than 30 vendors with “various levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors,” according to a company blog post.
RCS Lab’s spyware has been accused of using a combination of tactics to victimize both Android and iOS users in the affected regions. This includes atypical drive-by downloads as initial infection vectors. Here’s how the attack worked to trick users into installing malicious applications.
How does the RCS Lab spyware tool work?
Google’s TAG saw a similar pattern in all victims of the powerful attack. A unique link is sent to the target, which, when clicked, redirects the user to another page and leads them to download and install a malicious application on their Android or iOS device.
This app would target and disable the victim’s mobile data connection. However, this would only be the first step in the attack.
After the data services are compromised, the attacker would send another malicious link via SMS and ask users to install another application to restore their now-disabled data connection. These apps would take different approaches for both Android and iOS phones.
“We believe this is why most applications masquerade as mobile carrier applications,” Google said in the post, adding that “when ISP involvement is not possible, applications are disguised as messaging applications.”
For iOS devices, attackers simply followed Apple instructions for distributing proprietary internal apps to Apple devices and used the itms services protocol with the following manifest file and com.ios.Carrier as identifier.
The attacking application would also be signed with a certificate from a company called 3-1 Mobile SRL, which would make it compliant with all iOS code signing requirements since the company was enrolled in the Apple Developer Enterprise Program.
These attacking apps can be sideloaded onto phones instead of being installed from something like the App Store. The app then uses multiple exploits to escalate its privileges and extract important files from the device. Notably, all the exploits were public ones written by various jailbreak communities.
For Android phones, the downloaded APK requires victims to first enable installation of applications from unknown sources. The attacking app disguises itself as a legitimate Samsung app and even gets a Samsung logo to trick users.
Google revealed that while the APK itself contained no exploits, the code hinted at the presence of exploits that could be downloaded and run on the target device.
“This campaign is a good reminder that attackers don’t always use exploits to get the necessary permissions. Basic infection vectors and drive-by downloads still work and can be very efficient with the help of local ISPs,” Google said in the post.
Commercial spyware industry is growing at ‘worried’ pace
Google stated in its post that the increasing use of spyware should be a cause for concern for all users. “These vendors enable the proliferation of dangerous hacking tools and arm governments that would not be able to develop these capabilities internally,” it said.
Apple has not yet responded to the statement. Meanwhile, RCS Labs denies any wrongdoing on its part, saying its products and services comply with European rules and help law enforcement agencies investigate crimes, according to a Reuters report. “RCS Lab personnel are not exposed to and do not participate in activities performed by the relevant customers,” the report said.