The hacker tools of the Italian company RCS Lab were used to spy on Apple and Android smartphone users in Italy and Kazakhstan, Google experts said. Moreover, the Italian spyware vendor allegedly received help from some ISPs to infect devices.
According to Google TAG analysts, RCS Labs is just one of 30 spyware vendors they track. This Milanese company claims to have been operating since 1993 and for more than twenty years has been providing “law enforcement agencies around the world with advanced technological solutions and technical support in the field of legal monitoring and interception of information.”
The researchers write that during the drive-by attacks, which were used to infect the devices of several victims, users were asked to install malicious applications (including those disguised as legitimate applications of mobile operators), ostensibly to return online after the Internet connection was interrupted. on the provider’s side.
“We believe that in some cases, the attackers collaborated with the victim’s ISP to disable their mobile data connection,” the report says. “After disconnecting, the attacker sent a malicious link via SMS with a request to install an application to restore the connection.”
Analysts write that malicious applications deployed on victims’ devices were not available through the Apple App Store or Google Play stores. However, the attackers offered iOS malware (signed with a corporate certificate) and asked the victims to allow installation of apps from unknown sources.
The iOS app seen in these attacks had six built-in exploits that allowed privilege escalation on a compromised device and file theft:
- CVE-2018-4344 vulnerability known as LightSpeed;
- CVE-2019-8605 vulnerability known as SockPuppet (Google’s internal name is SockPort2);
- CVE-2020-3837 vulnerability known as LightSpeed;
- CVE-2020-9907 Google’s internal bug name is AveCesare;
- CVE-2021-30883 Google internal bug name —Clicked2, exploited since October 2021;
- CVE-2021-30983 Google’s internal bug name is Clicked3, fixed by Apple in December 2021.
“All exploits appeared before 2021 and were based on publicly available exploits written by various jailbreaking communities. At the time the attacks were discovered, we considered only CVE-2021-30883 and CVE-2021-30983 as zero-day exploits,” experts say.
As for the malicious Android application, it was delivered without exploits. At the same time, the malware had capabilities that allowed loading and executing additional modules using the DexClassLoader API.
Google says it has already notified Android device owners that their devices have been compromised and infected with spyware. The company also disabled Firebase projects used by attackers to set up the campaign’s management infrastructure.
I must say that this malware for Android, named Hermit, was studied in detail by experts from the security company Lookout, who published a threat report last week. According to them, Hermit is “modular spyware” that “abuses Accessibility services, can record audio, make and redirect phone calls, collect and steal data such as call logs, contacts, photos, device location and SMS messages.” messages.”
The researchers noted that the modularity of Hermit allows it to be customized for each specific victim, expanding or changing the functionality of the spyware depending on the requirements of the customer. At the same time, unfortunately, it was not possible to understand who was the target of the detected campaign, and which of the RCS Lab clients was associated with this.
Interestingly, according to Google TAG, seven of the nine zero-day vulnerabilities discovered in 2021 were developed by commercial spyware and vulnerability vendors and then sold to third parties and exploited by government hackers.
“Hermit is another example of a digital weapon that is used to attack civilians and their mobile devices, and the data collected by attackers is certainly invaluable,” experts from Zimperium comment on the reports of their colleagues.
Google TAG expresses concern that companies like RCS Lab are “secretly accumulating zero-day vulnerabilities,” which poses serious risks given that a number of spyware vendors have been compromised over the past decade. Experts fear that sooner or later the “reserves” of such companies “may be made public without warning.”
