RCS Lab attack reveals how users of Android and iOS devices in Italy and Kazakhstan were subjected to surveillance.

Google has exposed how commercial malware by Milan’s RCS Lab infected both Android and iOS users in Italy and Kazakhstan in a new study.

Google has just just disclosed in a new blog post that it has been monitoring the activity of commercial spyware providers, such as RCS Lab, which is located in Italy and was discovered to be targeting mobile users in Italy and Kazakhstan. This information was given by Google.

According to a post on the company’s blog, the findings were uncovered by Google’s Threat Analysis Group (TAG), which has tracked over 30 vendors with “varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors.” TAG has found that these vendors are selling exploits or surveillance capabilities to various government-backed actors.

The spyware developed by RCS Lab is suspected of employing more than one strategy in order to target and compromise Android as well as iOS users in the areas that were compromised. This includes non-standard drive-by downloads as the primary vectors of infection in the first stages. The following is a description of how the attack was carried out to fool people into installing dangerous software.

How does RCS Lab’s spyware tool work?

The Technical Analysis Group at Google noticed a same trend across all of the strong attack’s victims. The victim is provided with a one-of-a-kind link that, when clicked, takes them to a different page where they are coerced into downloading and installing a malicious programme on their mobile device running either Android or iOS.
This software would aim to disrupt the victim’s mobile data connectivity on their mobile device and would succeed in doing so. This would, however, merely be the first stage in the offensive.

After the data services have been hacked, the attacker will send another malicious link through SMS, prompting consumers to install another programme in order to restore their data connectivity, which has been disrupted as a result of the initial penetration. These applications would take a variety of various methods, depending on whether they were running on an Android or iOS device.

Google stated in the article that “we believe this is the reason why majority of the applications masqueraded as mobile carrier applications.” Additionally, Google stated that “where ISP participation is not allowed, applications are masqueraded as messaging applications.”

For iOS devices, the attackers simply followed Apple’s instructions on how to distribute proprietary in-house apps to Apple devices. They used the itms-services protocol with the following manifest file and used com.ios.Carrier as the identifier. For Android devices, the attackers used a different distribution method.

Because the attacking programme would also be signed with a certificate from a business called 3-1 Mobile SRL, it would be able to meet all of the standards for iOS code signing because the business was registered in the Apple Developer Enterprise Program.

These malicious applications don’t need to be downloaded from a third-party source like the App Store because they may be sideloaded into mobile devices. After then, the application will employ a variety of vulnerabilities in order to elevate its privileges and retrieve crucial files from the target device. Notably, all exploits were public ones developed by various jailbreaking communities.

In order for victims to install the downloaded APK on their Android phones, they would first need to permit the installation of programmes from unknown sources. The malicious programme masquerades as a genuine Samsung offering, going so far as to obtain a Samsung logo in order to dupe unsuspecting customers.

Google disclosed that while the APK itself didn’t include any exploits, its coding indicated at the availability of exploits that could be downloaded and executed on the target device.

This ad serves as a helpful reminder that attackers do not necessarily rely on exploits in order to obtain the rights they require. According to the article, basic infection vectors and drive-by downloads are still effective and may be made much more so with the assistance of local Internet service providers (ISPs).

The ‘concerning’ rate at which the commercial spyware sector is expanding
In a recent article, Google stated that all users ought to be concerned about the rising prevalence of spyware. [Citation needed] “These suppliers are facilitating the proliferation of harmful hacking tools and equipping countries that would not be able to develop these capabilities in-house,” it claimed.

Apple is yet to provide a response to the statement. Meanwhile, RCS Labs has denied any wrongdoing on its side, stating its goods and services conform with European standards and aid law enforcement authorities investigate crimes, as per a report by Reuters. According to the study, RCS Lab workers are not exposed to any actions that are carried out by relevant clients, nor do they participate in any of those activities themselves.

Leave a Comment