Researchers from Google’s Threat Analysis Group (TAG) yesterday disclosed that certain Internet Service Providers (ISPs) helped Italian spyware vendor RCS Labs infect iOS and Android users in Italy and Kazakhstan with surveillance tools.
TAG tracks more than 30 spyware vendors, including RCS Labs, according to security researchers Clement Lecigne and Christian Resell. The attacks used drive-by-downloads to deploy malware on multiple devices.
The ISPs Involved cut their victims’ mobile data Internet connection, helping perpetrators trick them into installing fake mobile carrier apps under the pretense of getting back online. Since the targets lacked connectivity, threat actors sent the malicious links via SMS.
“In some cases, we believe the actors worked with the target’s ISP to disable the target’s mobile data connectivity,” Google TAG’s report says. “Once disabled, the attacker would send a malicious link via SMS asking the target to install an application to recover their data connectivity. We believe this is the reason why most of the applications masqueraded as mobile carrier applications.”
The spyware vendor couldn’t always cooperate with the targets’ ISPs, so it also used fake messaging apps to lure victims. The group crafted decoy support pages offering to help potential victims recover suspended Instagram, WhatsApp or Facebook accounts.
Fake support pages hosted links to install applications; while Facebook and Instagram pages pointed to official apps, the WhatsApp URL pointed to a malicious version of the messaging app.
It’s worth mentioning that the malicious apps weren’t available in Google Play or Apple’s App store. To infect iOS users, perpetrators sideloaded the iOS version of the app and asked targets to enable installation of apps from unknown sources. The malicious iOS app was signed with an enterprise certificate and packed several privilege escalation exploits, as follows:
While its Android counterpart had no exploits, it was able to download and execute additional modules through a DexClassLoader API.
Google said it took steps to prevent these attacks and protect its users against them while warning that attackers could pull off attacks without using exploits.
“To protect our users, we have warned all Android victims, implemented changes in Google Play Protect and disabled Firebase projects used as C2 in this campaign,” Google says in its latest TAG report.