Google revealed(Opens in a new window) Information about a spyware vendor called RCS Labs that was caught targeting people in Italy and Kazakhstan, according to the company’s Threat Analysis Group (TAG).
TAG says RCS Labs targeted both iOS and Android devices with its spyware. “All campaigns observed by TAG come from a unique link sent to the destination,” says TAG. “Once clicked, the page attempted to trick the user into downloading and installing a malicious application on Android or iOS.”
These malicious links seem to have arrived in two different flavors. TAG says one disguised itself as an app that could restore the victim’s cellular data connection — more on that in a moment — while the other pretended to be some sort of messaging app.
Of course, the former only works if someone has actually lost internet access on their phone, and it seems RCS Labs had some assistance with that. “In some cases,” says TAG, “we believe the actors worked with the target’s ISP to disable the target’s cellular data connectivity.”
Attacks then progressed based on what type of smartphone a target was using. On the iPhone, the spyware exploited six different vulnerabilities, two of which were zero-days according to TAG. (Google’s Project Zero has published(Opens in a new window) a detailed report of one of these vulnerabilities, CVE-2021-30983.)
RCS Labs took a different approach with Android. According to TAG, the malicious app, designed to look like a legitimate Samsung app, “does not contain any exploits”. Instead, the group believes RCS Labs used a command-and-control infrastructure to download and run exploits remotely.
None of the malicious apps were delivered through the App Store or Google Play Store. Instead, TAG says RCS Labs uses features built into iOS and Android that allow users to “sideload” software, meaning the applications haven’t been subjected to the same scrutiny as officially distributed software.
Recommended by our editors
“This campaign is a good reminder that attackers don’t always use exploits to gain the necessary permissions,” says TAG. “Basic infection vectors and drive-by downloads still work and can be very efficient with the help of local ISPs.”
TAG shared additional information about this campaign in its blog post, including various indicators of compromise and domains and IP addresses associated with these attacks. Lookout reported separately(Opens in a new window) on the Android version of the spyware on June 16th.
Do you like what you read?
Sign up for security guard Newsletters for our top privacy and security stories, delivered straight to your inbox.