Google’s Threat Analysis Group (TAG) has identified Italian vendor RCS Lab as a spyware criminal, developing tools that are being used to exploit zero-day vulnerabilities to attack iOS and Android mobile users in Italy and Kazakhstan.
According to a Google blog post on Thursday, RCS Labs uses a combination of techniques, including atypical drive-by-download, as the primary transition vector. The company has created tools to spy on the personal data of the targeted devices, the post said.
The Milan-based RCS Lab claims partners in France and Spain and lists European government agencies as its clients on its website. It claims to provide “state-of-the-art technological solutions” to legal barriers.
The agency was unavailable for comment and did not respond to email questions. In a statement to Reuters, RCS Lab said, “RCS Lab staff do not disclose, or participate in any activities conducted by relevant clients.”
On its website, the firm advertises that it “provides a completely legal barrier service, operating more than 10,000 barricade targets per day in Europe alone.”
Google’s TAG, on its behalf, said it monitored spyware promotions using RCS Lab features. The campaigns are triggered by a unique link sent to the target, which, when clicked, tries to get the user to download and install a malicious application on an Android or iOS device.
Working with the target device’s ISP to disable the mobile data connection, in some cases this seems to have been done, Google said. Next, get an application download link via SMS to restore user data connection.
For this reason, most applications mushroom as mobile carrier applications. When ISP involvement is not possible, applications masquerade as messaging applications.
Authorized drive-by download
Defined as authorized downloads without users understanding the results, the “Authorized Drive By” strategy is a repetitive method used to infect both iOS and Android devices, Google said.
RCS follows Apple’s instructions for distributing proprietary in-house apps on iOS drive-by Apple devices, Google said. It uses the ITMS (IT Management Suite) protocol and signs payload-carrying applications with a certificate from an Italian-based company 3-1 Mobile enrolled in the Apple Developer Enterprise Program.
iOS payload is divided into multiple parts. There are four universally known exploits লাই Lightspeed, Scooppet, Timewest, Avesser এবং and two recently identified exploits, known internally as Clicked 2 and Clicked 3.
Android Drive-By enables the installation of an app that relies on users who disguise themselves as a legitimate app that displays an official Samsung icon.
To protect its users, Google has implemented changes to Google Play Protect and disabled Firebase projects used as C2 – the command and control techniques used to communicate with affected devices. In addition, Google has listed a few indicators of compromise (IOC) in the post to warn the victims of Android.
Copyright © 2022 IDG Communications, Inc.