Google Claims RCS Lab Hacking Tools Are Being Used to Target iOS and Android Users

The hacker tools of the Italian company RCS Lab were used to spy on Apple and Android smartphone users in Italy and Kazakhstan, Google experts said. Moreover, the Italian spyware vendor allegedly received help from some ISPs to infect devices.

Let me remind you that we also told, that Intelligence Agencies in at least 5 European Countries Used Pegasus Spyware.

According to Google TAG analysts, RCS Labs is just one of 30 spyware vendors they track. The Milan-based company claims to have been in business since 1993 and has been providing “law enforcement agencies around the world with advanced technology solutions and technical support in the field of legal monitoring and interception of information” for more than twenty years.

The researchers write that during the drive-by attacks, which were used to infect the devices of several victims, users were asked to install malicious applications (including those disguised as legitimate applications of mobile operators), ostensibly to return online after the Internet connection was interrupted on the provider’s side.

We believe that in some cases, the attackers collaborated with the victim’s ISP to disable their mobile data connection. After disconnecting, the attacker sent a malicious link via SMS with a request to install an application to restore the connection.the report says.

Analysts write that malicious applications deployed on victims’ devices were not available through the Apple App Store or Google Play stores. However, the attackers offered iOS malware (signed with a corporate certificate) and asked the victims to allow installation of apps from unknown sources.

The iOS app seen in these attacks had six built-in exploits that allowed privilege escalation on a compromised device and file theft:

  1. CVE-2018-4344 vulnerability known as LightSpeed;
  2. CVE-2019-8605 vulnerability known as SockPuppet (Google’s internal name is SockPort2);
  3. CVE-2020-3837 vulnerability known as LightSpeed;
  4. CVE-2020-9907 Google’s internal bug name is AveCesare;
  5. CVE-2021-30883 Google internal bug name — Clicked2, exploited since October 2021;
  6. CVE-2021-30983 Google’s internal bug name is Clicked3, fixed by Apple December 2021.
All exploits appeared before 2021 and were based on publicly available exploits written by various jailbreaking communities. At the time the attacks were discovered, we considered only CVE-2021-30883 and CVE-2021-30983 as zero-day exploits.experts say.

As for the malicious Android application, it was delivered without exploits. At the same time, the malware had capabilities that allowed loading and executing additional modules using the DexClassLoader API.

Google says it has already notified Android device owners that their devices have been compromised and infected with spyware. The company also disabled Firebase projects used by attackers to set up the campaign’s management infrastructure.

I also must say that xperts from the security company Lookout studied in detail an Android malaware, named Hermit and published a threat report last week. According to them, Hermit is “modular spyware” that “abuses Accessibility services, can record audio, make and redirect phone calls, collect and steal data such as call logs, contacts, photos, device location and SMS messages.” messages.”

The researchers noted that the modularity of Hermit allows it to be customized for each specific victim, expanding or changing the functionality of the spyware depending on the requirements of the customer. At the same time, unfortunately, it was not possible to understand who was the target of the detected campaign, and which of the RCS Lab clients was associated with this.

Interestingly, according to Google TAG, seven of the nine zero-day vulnerabilities discovered in 2021 were developed by commercial spyware and vulnerability vendors and then sold to third parties and exploited by government hackers.

Hermit is another example of a digital weapon that is used to attack civilians and their mobile devices, and the data collected by attackers is certainly invaluable.experts from Zimperium comment on the reports of their colleagues.
Google TAG expresses concern that companies like RCS Lab are “secretly accumulating zero-day vulnerabilities,” which poses serious risks given that a number of spyware vendors have been compromised over the past decade. Experts fear that sooner or later the “reserves” of such companies “may be made public without warning.”
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button