Spyware vendor works with ISPs to infect iOS and Android users
Google’s Threat Analysis Group (TAG) revealed today that RCS Labs, an Italian spyware vendor, has received help from some Internet service providers (ISPs) to infect Android and iOS users in Italy and Kazakhstan with commercial surveillance tools.
RCS Labs is just one of more than 30 spyware vendors whose activity is currently tracked by Google, according to Google TAG analysts Benoit Sevens and Clement Lecigne.
During attacks that used drive-by-downloads to infect multiple victims, the targets were prompted to install malicious apps (camouflaged as legitimate mobile carrier apps) to get back online after their Internet connection was cut with the help of their ISP.
“In some cases, we believe the actors worked with the target’s ISP to disable the target’s mobile data connectivity,” the report claims.
“Once disabled, the attacker would send a malicious link via SMS asking the target to install an application to recover their data connectivity.”
If they couldn’t directly work with their targets’ ISPs, the attackers would disguise the malicious apps as messaging applications.
They pushed them using a made-up support page that claimed to help the potential victims recover their Facebook, Instagram, or WhatsApp suspended accounts.
However, while the Facebook and Instagram links would allow them to install the official apps, when clicking the WhatsApp link they would end up installing a malicious version of the legitimate WhatsApp app.
Multiple exploits (some of them zero-days) used for surveillance
Google says the malicious apps deployed on the victims’ devices weren’t available in the Apple App Store or Google Play. However, the attackers sideloaded the iOS version (signed with an enterprise certificate) and asked the target to enable the installation of apps from unknown sources.
The iOS app spotted in these attacks came with several built-in exploits allowing it to escalate privileges on the compromised device and steal files.
“It contains a generic privilege escalation exploit wrapper which is used by six different exploits. It also contains a minimalist agent capable of exfiltrating interesting files from the device, such as the Whatsapp database,” the analysts explained.
Some victims notified their devices were compromised
Google has warned Android victims that their devices were hacked and infected with spyware, dubbed Hermit by security researchers at Lookout in a detailed analysis of this implant published last week.
According to Lookout, Hermit is “modular surveillanceware” that “can record audio and make and redirect phone calls, as well as collect data such as call logs, contacts, photos, device location and SMS messages.”
Google has also disabled the Firebase projects used by the threat actors to set up a command-and-control infrastructure for this campaign.
In May, Google TAG exposed another campaign in which state-backed threat actors used five zero-day security flaws to install Predator spyware developed by commercial surveillance developer Cytrox.
“TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors,” Google said at the time.
Original Posts: Spyware vendor works with ISPs to infect iOS and Android users