Google attributes the attacks to Italian spyware vendor RCS Labs, adding that it has found victims in Italy and Afghanistan.
Attacks Begin With Malicious Links Sent via SMS to Targets
Members of Google’s Threat Analysis Group (TAG) and Project Zero have worked together and published their findings on the campaign. A typical attack starts with a target receiving a malicious link over SMS, claiming to be the official app of a popular messaging or carrier service. In fact, TAG first brought the campaign to Project Zero’s notice in December 2021, when it shared an imposter “My Vodafone” iOS app. The app looked just like the official app, however, it did not come from Apple’s app store. Upon further investigation, the Project Zero researchers found that it contained six privilege escalation exploits. “The app is broken up into multiple parts. It contains a generic privilege escalation exploit wrapper which is used by six different exploits. It also contains a minimalist agent capable of exfiltrating interesting files from the device, such as the Whatsapp database,” TAG’s blogpost reads. TAG and Project Zero both said that in some cases, the attacker worked with local ISPs to carry out the attack. In such an instance, the local ISP would disable the target’s data connectivity after which the attacker would send the malicious SMS, urging the target to download an application to regain access to data services. In cases where this cooperation is not possible, the attackers use fake messaging applications, such as a phony WhatsApp.
Attackers Sidestep Apple App Store
The attackers bypass Apple’s stringent protections against malicious apps by side-loading the apps onto target devices. They do so by abusing Apple’s own protocols for developer apps. Apple allows developers to test out certain apps on iOS devices before they are listed on the App store. However, these apps need to be certified by a company enrolled in the Apple Developer Enterprise Program. Here, the attackers use a certificate from a company named 3-1 Mobile SRL, which is enrolled in Apple’s program, allowing their apps to be side-loaded onto devices. For Android devices, the targets are redirected to a website where they are nudged to download an APK file. For this to be successful, the victim must also enable the installation of apps from unknown sources on their device. Google said it has alerted affected Android users about the spyware. “Installing the downloaded APK requires the victim to enable installation of applications from unknown sources. Although the applications were never available in Google Play, we have notified the Android users of infected devices and implemented changes in Google Play Protect to protect all users,” TAG stated.
Rise of the Commercial Spyware Industry
Google has also warned all internet users of the rise of the commercial spyware industry. The company said that while the use of commercial spyware may be legal, its abuse can lead to an attack on democratic principles. There are several reports of national governments using spyware such as Pegasus to target political opponents, activists, and journalists. Furthermore, spyware vendors are increasingly stockpiling zero-day vulnerabilities and hiding them away from the public and larger industry. This leads to a corresponding increase in risks to all users, especially if a vendor were to be compromised. “This has happened to multiple spyware vendors over the past ten years, raising the specter that their stockpiles can be released publicly without warning,” TAG said. “This is why when Google discovers these activities, we not only take steps to protect users, but also disclose that information publicly to raise awareness and help the entire ecosystem, in line with our historical commitment to openness and democratic values,” it added. If you found this story interesting, check out our comprehensive article on spyware. It has all the information you need to best protect your devices.