• Home
  • News
  • ISPs to infect iOS and Android users

NEWS

Spyware vendor works with ISPs to infect iOS and Android users

Posted on June 24, 2022 by

Google’s Threat Analysis Group (TAG) revealed today that RCS Labs, an Italian spyware vendor, has received help from some Internet service providers (ISPs) to infect Android and iOS users in Italy and Kazakhstan with commercial surveillance tools.

RCS Labs is just one of more than 30 spyware vendors whose activity is currently tracked by Google, according to Google TAG analysts Benoit Sevens and Clement Lecigne.

During attacks that used drive-by-downloads to infect multiple victims, the targets were prompted to install malicious apps (camouflaged as legitimate mobile carrier apps) to get back online after their Internet connection was cut with the help of their ISP.

“In some cases, we believe the actors worked with the target’s ISP to disable the target’s mobile data connectivity,” the report claims.

“Once disabled, the attacker would send a malicious link via SMS asking the target to install an application to recover their data connectivity.”

If they couldn’t directly work with their targets’ ISPs, the attackers would disguise the malicious apps as messaging applications.

They pushed them using a made-up support page that claimed to help the potential victims recover their Facebook, Instagram, or WhatsApp suspended accounts.

However, while the Facebook and Instagram links would allow them to install the official apps, when clicking the WhatsApp link they would end up installing a malicious version of the legitimate WhatsApp app.

Multiple exploits (some of them zero-days) used for surveillance

Google says the malicious apps deployed on the victims’ devices weren’t available in the Apple App Store or Google Play. However, the attackers sideloaded the iOS version (signed with an enterprise certificate) and asked the target to enable the installation of apps from unknown sources.

The iOS app spotted in these attacks came with several built-in exploits allowing it to escalate privileges on the compromised device and steal files.

“It contains a generic privilege escalation exploit wrapper which is used by six different exploits. It also contains a minimalist agent capable of exfiltrating interesting files from the device, such as the Whatsapp database,” the analysts explained.

Original Posts: Spyware vendor works with ISPs to infect iOS and Android users