Researchers from Google’s Threat Analysis Group (TAG) revealed that the Italian surveillance firm RCS Labs was helped by some Internet service providers (ISPs) in Italy and Kazakhstan to infect Android and iOS users with their spyware.

Google experts have been tracking the activities of surveillance firms for years, its experts reported that seven of the nine zero-days discovered by TAG in 2021 were developed by commercial providers and sold to and used by government-backed actors. TAG researchers tracked more than 30 vendors selling exploits or surveillance capabilities to nation-state actors.

The attack chain implemented by RCS Labs for all the campaigns uncovered by TAG began with a unique link sent to the target. Once clicked the link, the victim is redirected to a page designed to trick users into downloading and installing a malicious application on either Android or iOS.

“In some cases, we believe the actors worked with the target’s ISP to disable the target’s mobile data connectivity. Once disabled, the attacker would send a malicious link via SMS asking the target to install an application to recover their data connectivity.” reads the report published by Google. “We believe this is the reason why most of the applications masqueraded as mobile carrier applications. When ISP involvement is not possible, applications are masqueraded as messaging applications.”

In case the threat actors cannot receive the help of the ISP, they used applications masqueraded as messaging applications.

The following image shows a landing page to trick Italian users into installing one of the following apps in order to recover their accounts. The analysis of the code of the page shows that only the WhatsApp download links are pointing to attacker-controlled content for Android and iOS users. 

Google TAG researchers observed the Italian firm sideloading the iOS version, which was signed with an enterprise certificate. Then the attackers asked the victims to enable the installation of apps from unknown sources.

The iOS app analyzed by the researchers contained the following exploits:
  • CVE-2018-4344 internally referred to and publicly known as LightSpeed.
  • CVE-2019-8605 internally referred to as SockPort2 and publicly known as SockPuppet
  • CVE-2020-3837 internally referred to and publicly known as TimeWaste.
  • CVE-2020-9907 internally referred to as AveCesare.
  • CVE-2021-30883 internally referred to as Clicked2, marked as being exploited in-the-wild by Apple in October 2021.
  • CVE-2021-30983 internally referred to as Clicked3, fixed by Apple in December 2021.
“All exploits used before 2021 are based on public exploits written by different jailbreaking communities. At the time of discovery, we believe CVE-2021-30883 and CVE-2021-30983 were two 0-day exploits. In collaboration with TAG, Project Zero has published the technical analysis of CVE-2021-30983.” continues the analysis.

In the Android infections, threat actors did not use exploits, they tricked victims into granting permissions to install applications from unknown sources.

To protect Android users, Google warned them and implemented changes in Google Play Protect and disabled Firebase projects that were used as C2 in this campaign.

This week, Lookout Threat Lab researchers uncovered enterprise-grade Android surveillance spyware, named Hermit, used by the government of Kazakhstan to track individuals within the country.

According to Lookout, the Hermit spyware was likely developed by Italian surveillance vendor RCS Labs S.p.A and Tykelab Srl, the latter is a telecommunications solutions company suspected to be operating as a front company.

Google already notified Android users infected with the Hermit spyware and implemented changes in Google Play Protect to protect all users.
-Prameet