In hearings this week, the notorious spyware vendor NSO group told European lawmakers that at least five EU countries have used its powerful Pegasus surveillance malware. But as more and more come to light about the reality of how NSO’s products have been misused around the world, researchers are also working to raise awareness that the surveillance-for-hire industry goes way beyond one company. . On Thursday, Google’s Threat Analysis Group and Project Zero’s vulnerability analysis team released findings on the iOS version of a spyware product attributed to Italian developer RCS Labs.
Google researchers say they have detected victims of the spyware in Italy and Kazakhstan on both Android and iOS devices. Last week, security firm Lookout released findings about the Android version of the spyware, calling it “Hermit” and also attributing it to RCS Labs. Lookout notes that Italian officials used a version of the spyware during a 2019 anti-corruption investigation. In addition to victims in Italy and Kazakhstan, Lookout also found data indicating that an unidentified entity used the spyware to target northeastern Syria. .
“Google has been monitoring the activities of commercial spyware vendors for years, and in that time we’ve seen the industry quickly expand from a few vendors to an entire ecosystem,” TAG security engineer Clement Lecigne tells WIRED. “These vendors enable the proliferation of dangerous hacking tools, arming governments that would not be able to develop these capabilities internally. But there’s little or no transparency in this industry, so it’s critical to share information about these vendors and their capabilities.”
TAG says it currently tracks more than 30 spyware makers who offer a range of technical capabilities and levels of sophistication to government-backed customers.
In their analysis of the iOS version, Google researchers found that attackers spread the iOS spyware using a fake app that was supposed to resemble the My Vodafone app from the popular international mobile operator. In both Android and iOS attacks, attackers simply tricked targets into downloading what appeared to be a messaging app by distributing a malicious link that victims could click. But in some particularly dramatic iOS targeting cases, Google discovered that attackers may have worked with local ISPs to cut a specific user’s mobile data connection, send them a malicious download link via text message, and convince them to install the fake My Vodafone app. to install. over wifi with the promise that it would restore their cell service.
Attackers were able to spread the malicious app because RCS Labs registered with Apple’s Enterprise Developer Program, apparently through a shell company called 3-1 Mobile SRL, to obtain a certificate that allowed them to sideload apps without the typical AppStore review process. having to go through Apple.
Apple tells WIRED that all known accounts and certificates associated with the spyware campaign have been revoked.
“Corporate certificates are only intended for internal use by a company and are not intended for general app distribution as they can be used to bypass App Store and iOS protections,” the company wrote in an October report on sideloading. “Despite the program’s tight controls and limited scale, attackers have found unauthorized ways to access it, such as buying corporate certificates on the black market.”