Darkweb, darknet and hacking concept. Hacker with cellphone. Man using dark web with smartphone. Mobile phone fraud, online scam and cyber security threat. Scammer using stolen cell. AR data code.
Image: terovesalainen/Adobe Stock

A stunning report from Google’s Threat Analysis Group exposes the new modus operandi of an Italian spyware vendor dubbed RCS Labs.

The spyware vendor ecosystem

TAG recently exposed the activities of Cytrox, a North Macedonian company with bases in Israel and Hungary responsible for a malware dubbed Predator.

The Israeli NSO Group was previously largely exposed for the activities behind their malware Pegasus, which targeted iOS and Android mobile phones in different countries. Lawsuits are still ongoing against NSO in various countries as of today. Italy has previously hosted the now defunct Hacking Team, exposed for its malware development and attacking infrastructure. In 2015, someone successfully attacked the company and exposed about 400GB of their data, including their customers.

As for RCS Lab in Italy, their website is clear about their capabilities:

“Tactical support investigation tools offered by RCS include GSM off-the-air monitoring systems, social network analysis tools and active intrusion systems that allow full intelligence on target users even for encrypted communications like Skype, PGP and secure web-mail. Tactical tools also encompass satellite off the air and GPS probe and localization systems, audio/video probes, video surveillance, extended CDR (xDR) probes, crypto phone solutions and WiFi catchers. ”

Google mentions tracking more than 30 of such vendors, which show varying levels of sophistication and public exposure, selling exploits or surveillance capabilities to government-backed threat actors.

A new attack campaign targeting Italy and Kazakhstan

This campaign starts with a unique link sent to the target and leads to the download and installation of a malicious software made for Android or iOS smartphones.

SEE: Mobile device security policy (TechRepublic Premium)

The iOS application does not trigger any alert since it is signed with a certificate from a company named 3-1 Mobile SRL, enrolled in the Apple Developer Enterprise Program. The application has seemingly never been available on the App Store but is instead sideloaded. It contains privilege escalation and leverages six different vulnerabilities, two of which being zero-day vulnerabilities at the time of discovery (CVE-2021-30883 and CVE-2021-30983).

The Android malicious software requires the targeted user to allow the installation of applications from unknown sources. The software has never been stored on the Google Play Store. It disguises itself as a Samsung application which once launched displays a legitimate website with the Samsung icon. Yet the application requests many permissions at first run. While the application does not contain any exploit triggers, it has the ability to download and run exploits.

A very concerning problem: ISP collaboration

Google’s TAG team reports that they “believe the actors worked with the target’s ISP to disable the target’s mobile data connectivity. Once disabled, the attacker would send a malicious link via SMS asking the target to install an application to recover their data connectivity. We believe this is the reason why most of the applications masquerade as mobile carrier applications.”

When it was not possible to work with the ISPs, the applications appear  as messaging applications instead of mobile carrier applications.

Billy Leonard, global head of analysis of state-sponsored hacking and threats at Google, expressed his concerns on Twitter after the publication of TAG’s report.

“The proliferation of surveillance and spyware capabilities, like those described by TAG today from RCS Lab, should be a major concern for all internet users, and one that we will continue to counter and disrupt,” Leonard tweeted.

More attacks to come

Google, based on its research and analysis done by both the TAG and Project Zero teams, assesses that “the commercial spyware industry is thriving and growing at a significant rate.” The whole business of spyware provides efficient tools to governments that would not be able to develop such capabilities themselves.

Google concludes that collaboration between threat intelligence teams, network defenders, academic researchers, governments and technology platforms is required to tackle these harmful practices of the commercial surveillance industry.

How to protect yourself from this threat

This threat is specific to Android and iOS operating systems on smartphones.

Users should always keep their operating systems and software updated in order to avoid being compromised by common vulnerabilities. Users should never run any software from an insecure source out of any legitimate application store. Users should always carefully check the permissions requested by the application when run for the first time.

While a lot of companies now have security awareness programs running, most of those are focused on computers and not on smartphones. Attackers tend to benefit from it, because they can try to infect smartphones via multiple ways: Smishing (SMS-based phishing), use of communication applications and the browser. Employees must be made aware of these threat vectors.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.