Google's Threat Analysis Group (TAG) has identified Italian vendor RCS Lab as the creator of spyware, developing tools used to exploit zero-day vulnerabilities to attack iOS and Android mobile device users in Italy and Kazakhstan.

According to a Google blog post on Thursday, RCS Lab uses a combination of tactics, including atypical drive-by downloads as initial infection vectors. The company has developed tools to spy on the private data of target devices, according to the post.

Milan-based RCS Lab claims to have subsidiaries in France and Spain and has listed European government agencies as its clients on its website. It claims to provide "advanced technical solutions" in the field of lawful interception.

The company was not available for comment and did not respond to email inquiries. In a statement to Reuters, RCS Lab said: "RCS Lab staff are not exposed to or involved in any activities carried out by affected customers."

On its website, the firm advertises that it offers "comprehensive lawful interception services, with over 10.000 intercepted targets processed daily in Europe alone."

Google's TAG, for its part, said it has observed spyware campaigns using features it attributes to the RCS Lab. The campaigns originate from a unique link sent to the target, which, when clicked, attempts to trick the user into download and install a malicious app on Android or iOS devices.

This appears to be done, in some cases, by working with the target device's ISP to disable mobile data connectivity, Google said. Afterwards, the user receives an app download link via SMS, supposedly to regain data connectivity.

For this reason, most apps masquerade as mobile operator apps. When ISP involvement is not possible, apps masquerade as messaging apps.

Downloads in the car allowed

Defined as downloads that users allow without understanding the consequences, the "driving by permit" technique has been a recurring method used to infect iOS and Android devices, Google said.

The iOS RCS Player follows Apple's guidelines for distributing proprietary in-house apps on Apple devices, Google said. It uses ITMS (IT Management Suite) protocols and signs payload-bearing applications with a certificate from 3-1 Mobile, an Italy-based company enrolled in the Apple Developer Enterprise Program.

The iOS payload is divided into several parts. leveraging four publicly known exploits: LightSpeed, SockPuppet, TimeWaste, Avecesare, and two recently identified exploits known internally as Clicked2 and Clicked 3.

Android drive-by relies on users allowing the installation of an app that masquerades as a legitimate app displaying an official Samsung icon.

To protect its users, Google implemented changes to Google Play Protect and disabled Firebase projects used as C2, command and control techniques used for communications with affected devices. Also, Google has included some Indicators of Compromise (IOC) in the message to warn Android victims.

Copyright © 2022 IDG Communications, Inc.

Share This