United states

Google warns of a new SPYWARE used to hack smartphones

Google has warned that spyware is being used by foreign governments to hack Apple and Android phones and monitor user activity.

The “spyware” intruder – software that steals information from a device – was created by Milan-based company RCS Lab, Google and security company Lookout have revealed.

The RCS Lab’s spyware is alleged to have been used by the Italian and Kazakh governments to spy on personal messages and contacts stored on their citizens’ smartphones.

However, spyware is potentially capable of spying on the victim’s browser, camera, address book, clipboard and chat applications.

RCS Lab is an example of a “legal interception” company that claims to sell only to customers with lawful use for surveillance, such as intelligence and law enforcement agencies.

But in reality, such tools have often been misused under the guise of national security to spy on business managers, human rights activists, journalists, scientists and government officials, security experts say.

Spyware is a specific type of malware that steals information from a computer and sends it to a third party without the person’s knowledge (photo file)

RCS Lab’s spyware, called “Hermit,” is believed to be distributed via text messages that appear to come from legitimate sources.

Spyware and malware

Spyware is a specific type of malware that steals information from a computer and sends it to a third party without the person’s knowledge.

Spyware collects your personal information and transmits it to advertisers, data companies or external users.

Meanwhile, malware is a comprehensive term for any type of malware, regardless of how it works, intends or spreads.

The term includes adware, spyware, viruses, Trojans, and more.

Source: Norton Security

It tricks consumers into serving what looks like legitimate high-profile brand web pages as it launches malicious activity in the background.

In some cases, citizens have been sent text messages asking them to install an application to correct their slow mobile connection – when in fact spyware is installed.

In those cases, the attackers managed to get the victim’s Internet Service Provider (ISP) to slow down their connection, Google said, to look like a legitimate message.

In other cases, citizens were sent links to a web page disguised as a high-tech company, such as Facebook.

As an example, Google posted a screenshot from one of the attacker’s controlled sites, www.fb-techsupport.com, to introduce itself to Facebook’s support team (the webpage no longer exists).

In Italian, he told the victims that their accounts had been suspended and they had to download an app to restore the account.

Google says it has taken steps to protect users of its Android operating system and warn them about spyware.

Apple and the governments of Italy and Kazakhstan did not respond immediately to requests for comment.

Screenshot posted by Google, which translates from Italian as: “Account reset suspended. Download and install, following the on-screen instructions, the application to check and restore your suspended account. At the end of the procedure you will receive an SMS to confirm the unlock.

Google said the commercial spyware industry was “thriving” and “growing at a significant rate,” a trend that “should affect all Internet users.”

HOW TO INSTALL Spyware?

In some cases, Google has said it believes that hackers using RCS spyware work with the Internet Service Provider (ISP) on target.

This method comes from a unique link sent to the destination.

After clicking, the page tried to force the user to download and install a malicious application on Android or iOS.

In some cases, participants may have worked with the target’s ISP to disable the target’s mobile data connection.

Once disabled, the attacker will send a malicious connection via SMS, asking the target to install an application to reconnect to data.

This is the reason why most applications are disguised as mobile operator applications.

When ISP participation was not possible, applications are disguised as messaging applications.

“These providers allow the spread of dangerous hacking tools and arm governments that would not be able to develop these capabilities in their own company,” Benoit Sevens and Clement Lecigne of the Google Threat Analysis Group said in a blog post.

“While the use of surveillance technology may be legal under national or international law, it is often found that it is used by governments for purposes contrary to democratic values ​​- against dissidents, journalists, human rights workers and opposition politicians. parties. ”

On its website, the RCS Lab claims that European law enforcement agencies are part of its customers and describes itself as a producer of ‘legal interception’ technologies and services, including voice, data collection and ‘tracking systems’.

It says it handles 10,000 intercepted targets a day in Europe alone.

In response to Google’s findings, the RCS Lab said its products and services comply with European rules and help law enforcement investigate crimes.

“RCS Lab staff is not exposed or involved in any activities carried out by their customers,” he told Reuters, adding that he condemned any misuse of its products.

Google published its blog post on Thursday, a few weeks after the San Francisco-based Lookout revealed its findings in detail.

According to Lookout, the RCS Lab spyware was used by the Kazakh government within its borders and was used by the Italian authorities in an anti-corruption operation in 2019.

“We also found evidence that an unknown actor used it in northeastern Syria, a predominantly Kurdish region that has been the site of numerous regional conflicts,” Lookout said.

Google also found that RCS Lab had previously collaborated with the controversial, non-existent Italian spy firm Hacking Team, which similarly created surveillance software for foreign governments to connect to phones and computers.

Hacking Team went bankrupt after falling victim to a major hack in 2015, which led to the disclosure of numerous internal documents.

The new findings for the RCS Lab come as European and US regulators assess potential new rules for the sale and import of spyware.

The global spyware industry for governments is growing, with more and more companies developing interception tools for law enforcement agencies.

Anti-surveillance activists accuse them of helping governments, which in some cases use such tools to fight human rights and civil rights.

Concerns about spyware were fueled by media reports last year that Israeli company NSO Pegasus’ tools had been used by governments to spy on journalists, activists and dissidents.

Providers of so-called “legal interception” spyware, such as RCS Lab and NSO, typically claim to sell only to entities that have legal use of surveillance software, such as police forces fighting organized crime or terrorism. Lookout. However, there have been many reports, especially in recent years, of spyware abuse (photo file)

“They claim to sell only to customers who legally use surveillance software, such as intelligence and law enforcement agencies,” said mobile cybersecurity specialist Lookout for companies such as the NSO and RCS Lab.

“In fact, such tools have often been misused under the guise of national security to spy on business managers, human rights activists, journalists, scientists and government officials.”

Although the RCS Lab tool may not be as hidden as Pegasus, it can still read messages and view passwords, said Bill Marchak, a security researcher at Citizen Lab.

“This shows that although these devices are ubiquitous, there is still a long way to go to protect them against these powerful attacks,” Marczak said.

PEGASUS: HOW MUCH POWER SPYING IS USED TO HACK JOURNALISTS

Pegasus is a powerful “malware” – malicious computer software – developed by the Israeli security company NSO Group.

This particular form of malware is known as “spyware”, which means that it is designed to collect data from an infected device without the owner’s knowledge and forward it to a third party.

While most spyware is limited in scope – it only collects data from certain parts of an infected system – Pegasus looks much more powerful, allowing its controller almost unlimited access to and control over an infected device.

This includes access to contact lists, emails and text messages, along with stored photos, videos and audio files.

The Pegasus can also be used to take control of the phone’s camera or microphone to record video and audio, and has access to GPS data to verify where the phone’s owner was.

It can also be used to record new incoming or outgoing phone calls.

Early versions of virus-infected phones using harsh phishing attacks in which users are tricked into downloading the virus on their own phones by clicking on a malicious link sent via text or email.

But researchers say the software has become much more sophisticated, using vulnerabilities in common phone applications to launch so-called “zero-click” attacks that can infect devices without the user doing anything.

For example, in 2019, WhatsApp revealed that 1,400 people were infected with NSO Group software using the so-called “zero day” error – a hitherto unknown error – in the application’s calling function.

Users were infected when calling via WhatsApp to their phones, whether they answered the call or not.

Most recently, the NSO began exploiting vulnerabilities in Apple’s iMessage software, giving it backdoor access to hundreds of millions of iPhones.

Apple says it is constantly updating its software to prevent such attacks, although human rights group Amnesty says it has uncovered successful attacks on even the latest iOS systems.

NSO Group says that Pegasus can also be …