After the NSO Group, a new European player seems to be active in the sale of spyware. Google says the company’s tools have been tapping phones in Italy and Kazakhstan.
In a report, Google says that it concerns spyware from the Italian RCS Labs. He says it has European police services (‘law enforcement’) as customers and provides them with tools to spy on victims’ private messages and contacts.
Google, the maker of the Android operating system, now warns that it has noticed targeted attacks with the spyware on devices in Kazakhstan and Italy, against both Android and iOS (iPhone). Apple tells Reuters that it has revoked accounts and certificates involved in the hacking campaign. Google also says it has taken action and notified the victims.
RCS Labs would combine several tactics to infect victims. Among other things, drive-by downloads are mentioned. As a victim, you are convinced to click on a link where the infection happens in the background. With as yet advanced and undiscovered malware, this means that as a user you do not have to install or approve anything, clicking on the link after which the malware is forwarded is in many cases enough to make the attack successful.
Here it happens in a slightly different way. To get users to this point, Google thinks that the executors (police services) are working with the mobile operator to turn off the victim’s mobile data. An SMS is then sent asking you to click on that link and install an app to restore the data connection. This is partly why Google thinks that some of the attacks are hidden as (false) apps from the telecom provider.
RCS Labs itself tells the news agency that it follows European legislation, but also that its staff does not participate in the activities of its customers and condemns any misuse of the tools.
Google, for its part, is critical of such practices. In its report, it says such players spread dangerous hacking tools and thus arm governments. More technical analysis of the findings can be found on Google’s Project Zero blog.