Google warns of new spyware targeting iOS and Android users

- Advertisement -


At the hearing it Last week, the infamous spyware vendor NSO told European lawmakers that at least five EU countries were using its powerful Pegasus spyware. But as more is known about the abuse of NSO products around the world, researchers are also working to raise awareness that the surveillance-for-hire industry extends far beyond a single company. On Thursday, the Google Threat Intelligence Team and the Project Zero Vulnerability Analysis Team published. results about the iOS version of a spy product attributed to the Italian developer RCS Labs.

- Advertisement -

Google researchers say they have found spyware victims in Italy and Kazakhstan on Android and iOS devices. Last week the security firm Lookout published findings about the Android version of the spyware, which he calls “Hermit” and also credits to RCS Labs. Lookout notes that Italian officials used the spyware version during the 2019 anti-corruption investigation. In addition to victims located in Italy and Kazakhstan, Lookout also found evidence suggesting that an unidentified individual used spyware to target northeast Syria.

- Advertisement -

“Google has been tracking commercial spyware vendors for years, and in that time we have seen the industry rapidly expand from a few vendors to an entire ecosystem,” TAG Security Engineer Clement Lesin told WIRED. “These vendors are facilitating the spread of dangerous hacking tools by arming governments that would not be able to develop these capabilities on their own. But there is little to no transparency in this industry, so it’s important to share information about these vendors and their capabilities.”

TAG says it currently monitors more than 30 spyware vendors that offer a variety of technical capabilities and levels of sophistication for government-supported clients.

- Advertisement -

While analyzing the iOS version, Google researchers found that the attackers distributed iOS spyware using a fake app that was supposed to look like the “My Vodafone” app from a popular international mobile operator. In attacks on both Android and iOS, attackers could simply trick the target into downloading what looked like a messaging app by distributing a malicious link that victims could click on. But in some particularly dramatic cases of targeting iOS, Google found that the attackers could work with local ISPs to disable a particular user’s mobile data connection, send them a malicious SMS download link, and convince them to install the fake My Vodafone app. over Wi-Fi with the promise that it would restore their cellular connection.

The attackers were able to distribute the malicious app because RCS Labs enrolled in the Apple Enterprise Developer Program, apparently through a shell company called “3-1 Mobile SRL”, to obtain a certificate that allows them to download apps without going through Apple’s typical verification process. AppStore. process.

Apple tells WIRED that all known accounts and certificates associated with the spy campaign have been revoked.

“Enterprise certificates are for company internal use only and are not intended for general app distribution as they can be used to bypass App Store and iOS security,” the company wrote in October. report about side loading. “Despite the tight control and limited scope of the program, attackers have found unauthorized access to it, for example, by purchasing corporate certificates on the black market.”

Project Zero contributor Jan Beer conducted a technical analysis of exploits used in RCS Labs malware for iOS. He notes that spyware uses a total of six exploits to gain access to spy on a victim’s device. While five of these are known and widespread exploits for older versions of iOS, the sixth vulnerability was unknown at the time of its discovery. (Apple fixed this vulnerability in December.) This exploit took advantage of structural changes in how data is transferred through new generations of Apple’s “coprocessors” as the company and the industry as a whole move towards a universal “system on one device”. – chip design.

The exploit is not unprecedented in its complexity, but Google researchers note that RCS Labs’ spyware reflects a broader trend in which the surveillance-for-hire industry is combining existing hacking methods and exploits with newer elements to gain the upper hand.

“The commercial surveillance industry is capitalizing on research from the hacker community and reusing it. In this case, three of the six exploits are public jailbreak exploits,” says TAG member Benoit Sevens. “We are also seeing how other surveillance vendors are re-using methods and infection vectors that were originally used and discovered by cybercriminal groups. And like other attackers, video surveillance vendors not only use sophisticated exploits, but also use social engineering attacks to lure their victims.”

The study shows that while not all players are as successful or famous as companies like NSO Group, many small and medium players together in a growing industry pose a real risk to Internet users worldwide.


Credit: www.wired.com /

- Advertisement -

Stay on top - Get the daily news in your inbox

DMCA / Correction Notice

Recent Articles

Related Stories

Stay on top - Get the daily news in your inbox