Google Claims RCS Lab Hacking Tools Are Being Used to Target iOS and Android Users

The hacker tools of the Italian company RCS Lab were used to spy on Apple and Android smartphone users in Italy and Kazakhstan, Google experts said. Moreover, the Italian spyware vendor allegedly received help from some ISPs to infect devices.

According to Google TAG analysts, RCS Labs is just one of 30 spyware vendors they track. The Milan-based company claims to have been in business since 1993 and has been providing “law enforcement agencies around the world with advanced technology solutions and technical support in the field of legal monitoring and interception of information” for more than twenty years.

The researchers write that during the drive-by attacks, which were used to infect the devices of several victims, users were asked to install malicious applications (including those disguised as legitimate applications of mobile operators), ostensibly to return online after the Internet connection was interrupted on the provider’s side.

Analysts write that malicious applications deployed on victims’ devices were not available through the Apple App Store or Google Play stores. However, the attackers offered iOS malware (signed with a corporate certificate) and asked the victims to allow installation of apps from unknown sources.

The iOS app seen in these attacks had six built-in exploits that allowed privilege escalation on a compromised device and file theft:

1. CVE-2018-4344 vulnerability known as LightSpeed;
2. CVE-2019-8605 vulnerability known as SockPuppet (Google’s internal name is SockPort2);
3. CVE-2020-3837 vulnerability known as LightSpeed;
4. CVE-2020-9907 Google’s internal bug name is AveCesare;
5. CVE-2021-30883 Google internal bug name — Clicked2, exploited since October 2021;
6. CVE-2021-30983 Google’s internal bug name is Clicked3, fixed by Apple December 2021.

As for the malicious Android application, it was delivered without exploits. At the same time, the malware had capabilities that allowed loading and executing additional modules using the DexClassLoader API.

Google says it has already notified Android device owners that their devices have been compromised and infected with spyware. The company also disabled Firebase projects used by attackers to set up the campaign’s management infrastructure.

I also must say that xperts from the security company Lookout studied in detail an Android malaware, named Hermit and published a threat report last week. According to them, Hermit is “modular spyware” that “abuses Accessibility services, can record audio, make and redirect phone calls, collect and steal data such as call logs, contacts, photos, device location and SMS messages.” messages.”

The researchers noted that the modularity of Hermit allows it to be customized for each specific victim, expanding or changing the functionality of the spyware depending on the requirements of the customer. At the same time, unfortunately, it was not possible to understand who was the target of the detected campaign, and which of the RCS Lab clients was associated with this.

Interestingly, according to Google TAG, seven of the nine zero-day vulnerabilities discovered in 2021 were developed by commercial spyware and vulnerability vendors and then sold to third parties and exploited by government hackers.