Google’s Threat Analysis Group (TAG) has identified Italian provider RCS Lab as a spyware intruder, developing tools that are used to exploit zero-day vulnerabilities to attack iOS and Android mobile users in Italy and Kazakhstan.
According to a Google blog post Thursday, the RCS Lab uses a combination of tactics, including atypical car downloads, as initial vectors of infection. The company has developed tools to spy on the personal data of the target devices, the publication said.
The Milan-based RCS Lab claims to have branches in France and Spain, and has listed European government agencies as its customers on its website. He claims to provide “advanced technical solutions” in the field of legal set-off.
The company was not available for comment and did not respond to email inquiries. In a statement to Reuters, RCS Lab said: “The staff of RCS Lab is not exposed or involved in any activities carried out by the relevant customers.
On its website, the company advertises that it offers “full legal interception services, with more than 10,000 intercepted targets processed daily in Europe alone.”
Google’s TAG, meanwhile, said it had watched spyware campaigns using features it attributed to the RCS Lab. The campaigns originate from a unique link sent to the target, which when clicked tries to get the user to download and install a malicious application on Android or iOS devices.
In some cases, this seems to be done by working with the ISP of the target device to disable the mobile data connection, Google said. Subsequently, the user receives a connection to download an application via SMS, ostensibly to restore the data connection.
For this reason, most applications are disguised as mobile operator applications. When ISP participation is not possible, applications are disguised as messaging applications.
Authorized car downloads
Defined as downloads that users allow without understanding the consequences, the “authorized driving by” technique is a repetitive method used to infect both iOS and Android devices, Google said.
RCS iOS Drive-by follows Apple’s instructions for distributing its own internal applications on Apple devices, Google said. It uses ITMS (IT Management Pack) protocols and signs payload applications with a 3-1 Mobile certificate, an Italian-based company enrolled in the Apple Developer Enterprise program.
The iOS payload is divided into multiple parts, using four publicly known exploits – LightSpeed, SockPuppet, TimeWaste, Avecesare – and two recently identified exploits, internally known as Clicked2 and Clicked 3.
Android drive-by relies on users to allow the installation of an app that disguises itself as a legitimate app that displays an official Samsung icon.
To protect its users, Google has made changes to Google Play Protect and disabled Firebase projects used as C2, the command and control techniques used to communicate with affected devices. In addition, Google has included several compromise indicators (IOCs) in the post to warn Android victims.
Copyright © 2022 IDG Communications, Inc.
Add Comment