Spyware developed by Italian company RCS Labs was used to target mobile phones in Italy and Kazakhstan, in some cases with the help of victims’ mobile network providers, according to Google’s Threat Analysis Group (TAG). .
RCS Labs’ clients include law enforcement agencies around the world, according to the provider’s website. It is one of more than 30 outfits Google researchers are tracking that are selling exploits or surveillance capabilities to government-backed groups. And we are told that this particular spyware runs on both iOS and Android phones.
We understand that this particular espionage campaign involving RCS spyware was documented last week by Lookout, which dubbed the toolset “Hermit.” We are told that it is potentially capable of spying on victims’ chat applications, camera and microphone, address book and calendars, browser and clipboard, and send that information to the base. Italian authorities are said to have used this tool to tackle corruption cases, and the Kazakh government has also gotten their hands on it.
On Thursday this week, TAG revealed its analysis of the software and how it helped dismantle the infection.
According to Googlers Benoit Sevens and Clement Lecigne, some targets received text messages asking them to install an app to fix their mobile data connectivity. In fact, this app infected the device with RCS spyware. It appears that snoops using the surveillance tool were able to get the victims’ cell phone providers to downgrade their wireless Internet connectivity, thereby convincing brands to run the app.
“We think this is why most of the apps were masquerading as mobile operator apps,” Sevens and Lecigne. explained.
In cases without any telecommunications assistance, the spies would send a link to a page offering malicious apps posing as legitimate messaging apps from Meta, Facebook’s parent company. Running these programs infected the device with spyware.
Getting the app to download and run on iOS required a few extra steps due to the OS’s security measures: for one thing, the app didn’t come from the official App Store and would therefore normally be rejected. Instead, snoopers followed Apple’s notes on how to distribute proprietary internal apps for iThings, according to Google’s bug hunters.
This allowed criminals to produce an application digitally signed by a company enrolled in the Apple Developer Enterprise Program and, more importantly, one that could be installed on a victim’s device by having them find and run it from a web page. Web.
The iPhone app itself contains several parts, including a privilege escalation exploit to escape the sandbox it runs in, along with an agent that can steal files from iOS devices. In their analysis, Sevens and Lecigne analyzed an application with exploit code for the following vulnerabilities:
Meanwhile, on Android, the installation process worked like this: First, the victim is sent a link to a web page that tricks them into obtaining and installing a malicious app that looks like a legitimate Samsung app that, when start, open a web view showing a legitimate website related to the icon.
Once installed, it asks for permissions, uses messaging services like Firebase Cloud Messaging and Huawei Messaging Service for command and control communications, and then goes about the business of espionage and data theft.
You may also be able to download additional malware, researchers warn. “While the APK itself does not contain any exploits, the code suggests the presence of exploits that could be downloaded and executed,” Sevens and Lecigne wrote.
They also listed various hashes of executables, domains used to distribute the code and command and control domains, and IP addresses whose presence in the logs could indicate a compromised device.
Google notified all known Android victims, made changes to Google Play Protect to block RCS code execution, and disabled the Firebase project used for command-and-control communications, we were told. Hopefully, that should turn it off for now.
“This campaign is a good reminder that attackers don’t always use exploits to get the permissions they need,” added Sevens and Lecigne. “Basic infection vectors and drive-by downloads still work and can be very efficient with the help of local ISPs.” ®