Google’s Threat Analysis Group (TAG) revealed today that RCS Labs, an Italian spyware vendor, has received help from some Internet service providers (ISPs) to infect Android and iOS users in Italy and Kazakhstan with commercial surveillance tools.
RCS Labs is just one of more than 30 spyware vendors whose activity is currently tracked by Google, according to Google TAG analysts Benoit Sevens and Clement Lecigne.
During attacks that used drive-by-downloads to infect multiple victims, the targets were prompted to install malicious apps (camouflaged as legitimate mobile carrier apps) to get back online after their Internet connection was cut with the help of their ISP.
“In some cases, we believe the actors worked with the target’s ISP to disable the target’s mobile data connectivity,” the report claims.
“Once disabled, the attacker would send a malicious link via SMS asking the target to install an application to recover their data connectivity.”
If they couldn’t directly work with their targets’ ISPs, the attackers would disguise the malicious apps as messaging applications.
They pushed them using a made-up support page that claimed to help the potential victims recover their Facebook, Instagram, or WhatsApp suspended accounts.
However, while the Facebook and Instagram links would allow them to install the official apps, when clicking the WhatsApp link they would end up installing a malicious version of the legitimate WhatsApp app.
Multiple exploits (some of them zero-days) used for surveillance
Google says the malicious apps deployed on the victims’ devices weren’t available in the Apple App Store or Google Play. However, the attackers sideloaded the iOS version (signed with an enterprise certificate) and asked the target to enable the installation of apps from unknown sources.
The iOS app spotted in these attacks came with several built-in exploits allowing it to escalate privileges on the compromised device and steal files.
“It contains a generic privilege escalation exploit wrapper which is used by six different exploits. It also contains a minimalist agent capable of exfiltrating interesting files from the device, such as the Whatsapp database,” the analysts explained.
In all, it bundled six different exploits:
- CVE-2018-4344 internally referred to and publicly known as LightSpeed.
- CVE-2019-8605 internally referred to as SockPort2 and publicly known as SockPuppet
- CVE-2020-3837 internally referred to and publicly known as TimeWaste.
- CVE-2020-9907 internally referred to as AveCesare.
- CVE-2021-30883 internally referred to as Clicked2, marked as being exploited in-the-wild by Apple in October 2021.
- CVE-2021-30983 internally referred to as Clicked3, fixed by Apple in December 2021.
“All exploits used before 2021 are based on public exploits written by different jailbreaking communities. At the time of discovery, we believe CVE-2021-30883 and CVE-2021-30983 were two 0-day exploits,” they added.
On the other hand, the malicious Android app came with no bundled exploits. Still, it featured capabilities that would allow it to download and execute additional modules using the DexClassLoader API.
The proliferation of surveillance and spyware capabilities, like those described by TAG today from RCS Lab, should be a major concern for all internet users, and one that we will continue to counter and disrupt.— billy leonard (@billyleonard) June 23, 2022
Some victims notified their devices were compromised
Google has warned Android victims that their devices were hacked and infected with spyware, dubbed Hermit by security researchers at Lookout in a detailed analysis of this implant published last week.
According to Lookout, Hermit is “modular surveillanceware” that “can record audio and make and redirect phone calls, as well as collect data such as call logs, contacts, photos, device location and SMS messages.”
Google has also disabled the Firebase projects used by the threat actors to set up a command-and-control infrastructure for this campaign.
In May, Google TAG exposed another campaign in which state-backed threat actors used five zero-day security flaws to install Predator spyware developed by commercial surveillance developer Cytrox.
“TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors,” Google said at the time.