At this week’s hearings, the famous NSO group of spyware providers told European lawmakers that at least five EU countries have used their powerful Pegasus surveillance malware. But as the reality of how NSO products have been abused around the world comes to light, researchers are also working to raise awareness that the rental surveillance industry goes far beyond a company. On Thursday, Google’s threat analysis group and Project Zero vulnerability analysis team released results on the iOS version of a spyware product attributed to Italian developer RCS Labs.
Google researchers say they detected victims of spyware in Italy and Kazakhstan on both Android and iOS devices. Last week, security company Lookout released the findings on the Android version of the spyware, which it calls “Hermit” and which it also attributes to RCS Labs. Lookout notes that Italian officials used a version of spyware during an anti-corruption investigation in 2019. In addition to the victims located in Italy and Kazakhstan, Lookout also found data indicating that an unidentified entity used spyware to target in the northeast of Syria.
“Google has been tracking the activities of commercial spyware vendors for years, and during that time we’ve seen how the industry has expanded rapidly from a few vendors to an entire ecosystem,” he told WIRED l TAG security engineer Clement Lecigne. “These vendors are allowing the proliferation of dangerous piracy tools, arming governments that could not develop these capabilities internally. But there is little or no transparency in this industry, so it is critical to share information about these vendors and their capabilities.”
TAG says it currently tracks more than 30 spyware manufacturers that offer a variety of technical capabilities and levels of sophistication to government-backed customers.
In their analysis of the iOS version, Google researchers found that the attackers were distributing iOS spyware using a fake app designed to look like the My Vodafone app from the popular international mobile operator. In both Android and iOS attacks, attackers may have tricked the targets into downloading what appeared to be a messaging app by distributing a malicious link for victims to click. But in some particularly dramatic iOS targeting cases, Google found that attackers could have been working with local ISPs to cut off a specific user’s mobile data connection, send them a malicious download link via SMS, and convince them to install the fake My Vodafone app. via Wi-Fi with the promise that this would restore your mobile service.
The attackers were able to distribute the malicious application because RCS Labs had registered with Apple’s Business Development Program, apparently through a shell company called 3-1 Mobile SRL, to obtain a certificate that would allow them to upload applications without going through the typical review process of Apple’s AppStore.
Apple tells WIRED that all known accounts and certificates associated with the spyware campaign have been revoked.
“Company certificates are only intended for a company’s internal use and are not intended for general application distribution, as they can be used to circumvent App Store and iOS protections,” the company in an October report on side loading. “Despite strict controls and the limited scale of the program, bad actors have found unauthorized ways to access it, for example, by buying company certificates on the black market.”