Alphabet’s Google Inc. on Thursday confirmed in a report that hacking tools from an Italian company were used to spy on Apple and Android smartphones in Italy and Kazakhstan citing that the commercial spyware industry is thriving and growing at a significant rate.
According to the report, the spy tools were developed by Milan-based RCS Lab who used “a combination of tactics, including atypical drive-by downloads as initial infection vectors, to target mobile users on both iOS and Android” without their knowledge. The tools were created to access private messages and contacts present in the targeted device.
Google’s Threat Analysis Group (TAG) said that the spyware spreads by getting people to click on links in messages sent to targets.
Once clicked, the page attempted to get the user to download and install a malicious application on either Android or iOS. In some cases, Google believes that the actors worked with the target’s ISP to disable the target’s mobile data connectivity.
Once disabled, the attacker would send a malicious link via SMS asking the target to install an application to recover their data connectivity, which Google believes is the reason why most of the applications masqueraded as mobile carrier applications.
When not masquerading as a mobile internet service provider (ISP), the applications masqueraded as messaging applications in order to trick people into clicking malicious links.
“Google has been tracking the activities of commercial spyware vendors for years, and in that time we have seen the industry rapidly expand from a few vendors to an entire ecosystem,” the TAG team told WIRED.
“These vendors are enabling the proliferation of dangerous hacking tools, arming governments that would not be able to develop these capabilities in-house. But there is little or no transparency into this industry, that’s why it’s critical to share information about these vendors and their capabilities.”
Google said it had taken steps to ramp up software defenses and warned all Android victims. As for Apple, it has revoked all known accounts and certificates associated with the spyware campaign.
TAG says it currently tracks more than 30 spyware makers that have grown into a full-blown ecosystem offering varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors.
RCS Lab on its website claims that they have European law enforcement agencies as one of their clients. It describes itself as a maker of complete “lawful interception” services with more than 10,000 intercepted targets handled daily in Europe alone.
The Italian company told Reuters that its products and services comply with European Union rules and will help law enforcement agencies to investigate cybercrimes.
“Any sales or implementation of products is performed only after receiving an official authorization from the competent authorities. Our products are delivered and installed within the premises of approved customers. RCS Lab personnel are not exposed, nor participate in any activities conducted by the relevant customers,” it added.