The Google Threat Analysis Group (TAG) has told the European Union Parliament that trade surveillance providers are now using capabilities and exploits only available to governments in the past to target victims, including labor with Internet service providers to plant malware on users’ devices.
TAG is tracking more than 30 spyware vendors selling exploits and surveillance capabilities to government-sponsored actors, and Google is trying to disrupt this industry that it says undermines trust and makes the Internet less secure.
Google warns that the commercial spyware industry is thriving and growing, and while the use of capabilities may be legal under national and international law, governments often use them to target dissidents, journalists, and rights activists. human beings and for purposes contrary to democratic values.
Spyware vendors tracked by TAG and Google Project Zero security researchers include RCS Labs of Italy.
RCS Labs ’capabilities have been used last year to target victims in Italy and Kazakhstan with unique links sent to victims’ Android and Apple iOS devices.
TAG believes that in some cases, threat actors would work with the ISP used by victims to disable data connectivity.
“Once disabled, the attacker sent a malicious link via SMS asking the target to install an application to recover its data connectivity.
We believe this is the reason why most apps were disguised as mobile phone apps, ”wrote researchers Benoit Sevens and Clement Lecigne of TAG.
If ISP cooperation were not possible, threat actors would use fake messaging applications.
On Android, the malware disguised itself as a legitimate Samsung app, using the Korean company logo on the icon.
An application analyzed by TAG contained no less than six different exploits to obtain privilege escalation and data exfiltration.
Spyware vendors who store zero-days and exploits are a risk in themselves, as they become the target of other malicious actors and are often engaged in attacks.
Google said commercial surveillance industry practices are detrimental and need a solid and comprehensive response.
This includes cooperation between threat intelligence teams, network advocates, academic researchers, governments, and multiple technology platforms.