Google recently revealed in a new blog post that it has been tracking the activities of commercial spyware vendors, including Italy-based RCS Lab, which was found to be targeting mobile users in Italy and Kazakhstan.
The findings were discovered by Google’s Threat Analysis Group or TAG, which has tracked over 30 vendors with “variing levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors,” notes a blog post by the company.
RCS Lab’s spyware has been accused of using a combination of tactics to victimise both Android and iOS users in the affected regions. This includes atypical drive-by downloads as initial infection vectors. Here’s how the attack worked to trick users into installing malicious applications.
How does RCS Lab’s spyware tool work?
Google’s TAG observed a similar pattern with all victims of the powerful attack. A unique link is sent to the target, which when clicked, redirects the user to another page and gets them to download and install a malicious application on their Android or iOS device.
This app would target the victim’s mobile data connectivity and disable it. This would, however, just be the first step in the attack.
After the data services have been compromised, the attacker would send another malicious link via SMS, asking users to install another application to fix their now-disabled data connectivity. These apps would use different approaches for both Android and iOS phones.
“We believe this is the reason why most of the applications are masqueraded as mobile carrier applications,” Google said in the post, adding that “when ISP involvement is not possible, applications are masqueraded as messaging applications.”
For iOS devices, attackers simply followed Apple instructions on how to distribute proprietary in-house apps to Apple devices and used the itms-services protocol with the following manifest file and using com.ios.Carrier as the identifier.
The attacking application would also be signed with a certificate from a company named 3-1 Mobile SRL, thus allowing it to satisfy all iOS code signing requirements since the company was enrolled in the Apple Developer Enterprise Program.
These attacking apps can be sideloaded on phones instead of being installed from something like the App Store. The app then uses multiple exploits to escalate its privileges and extracting important files from the device. Notably, all exploits were public ones written by various jailbreaking communities.
For Android phones, the downloaded APK would require victims to first enable installation of applications from unknown sources. The attacking app disguises itself as a legitimate Samsung app, even getting a Samsung logo to trick users.
Google revealed that while the APK itself didn’t contain any exploits, its code hinted at the presence of exploits that could be downloaded and executed on the target device.
“This campaign is a good reminder that attackers do not always use exploits to achieve the permissions they need. Basic infection vectors and drive by downloads still work and can be very efficient with the help from local ISPs,” Google said in the post.
Commercial Spyware industry growing at ‘concerning’ rate
Google mentioned in its post that the growing use of spyware should be concerning to all users. “These vendors are enabling the proliferation of dangerous hacking tools and arming governments that would not be able to develop these capabilities in-house,” it said.
Apple is yet to issue a response to the statement. Meanwhile, RCS Labs has denied any wrongdoing on its part, saying its products and services comply with European rules and help law enforcement investigating crimes, as per a report by Reuters. “RCS Lab personnel are not exposed, nor participate in any activities conducted by the relevant customers,” the report said.