In this hearing Last week, the notorious spyware supplier’s NSO consortium told European lawmakers that at least five EU countries were using their powerful Pegasus surveillance malware. But as it sheds more and more light on the reality of how NSO products are abused around the world, researchers are also working to raise awareness that the rental surveillance industry is far more than just a company. company. On Thursday, Google Threat Analysis Team and Project Zero Vulnerability Team announceded detect about the iOS version of a spyware product by Italian developer RCS Labs.
Google researchers say they have discovered victims of this spyware in Italy and Kazakhstan on both Android and iOS devices. Last week, security company Lookout published findings about the Android version of the spyware, which it calls “Hermit” and also belongs to RCS Labs. Lookout notes that Italian officials used a version of spyware in the 2019 anti-corruption investigation. In addition to victims in Italy and Kazakhstan, Lookout also found data indicating an unidentified entity used spyware to target in northeastern Syria.
“Google has tracked the activities of commercial spyware vendors for many years, and in that time we have seen the industry rapidly expand from a few vendors to the entire world. ecosystem suite,” TAG security engineer Clement Lecigne told WIRED. “These vendors are enabling the proliferation of dangerous hacking tools, arming governments that cannot develop these capabilities in-house. But there is little or no transparency in this industry, which is why it is so important to share information about these vendors and their capabilities. ”
TAG says it currently tracks more than 30 spyware manufacturers that provide a range of technical capabilities and levels of sophistication to government-backed customers.
In their analysis of the iOS version, Google researchers found that attackers spread iOS spyware with a fake app that looks like the vendor’s My Vodafone app. Popular international mobile service. In both Android and iOS attacks, attackers can simply trick the target into downloading an app that appears to be a messaging app by distributing a malicious link for the victim to click. enter. But in some particularly impressive iOS targeting cases, Google discovered that attackers could have worked with local ISPs to cut off a particular user’s mobile data connection, sending give them a malicious download link via SMS and convince them to install the fake My Vodafone app. over Wi-Fi with the promise that this will restore their cellular service.
Attackers were able to distribute malicious apps because RCS Labs signed up with Apple’s Enterprise Developer Program, apparently through a shell company called 3-1 Mobile SRL, to obtain credentials. just allow them to download apps without going through the typical Apple AppStore review process.
Apple told WIRED that all known accounts and certificates associated with the spyware campaign have been revoked.
“Enterprise certificates are intended for internal use by a company only and are not intended for general app distribution, as they can be used to bypass App Store and iOS protections.” ,” the company wrote in an October report about sideloading. “Despite the program’s tight control and limited size, bad actors have found ways to gain unauthorized access to the program, such as by purchasing enterprise certificates on the black market. ”
