In hearings this week, the infamous spyware provider NSO group told European lawmakers that at least five EU countries have used their powerful Pegasus surveillance malware. But as more and more light comes to light on how NSO’s products have been abused around the world, researchers are also working to raise awareness that the rental monitoring industry goes far beyond one company. On Thursday, Google’s Threat Analysis Group and Project Zero vulnerability analysis team published fund about the iOS version of a spyware product attributed to Italian developer RCS Labs.
Google researchers say they discovered victims of spyware in Italy and Kazakhstan on both Android and iOS devices. Last week, security firm Lookout published results about the Android version of the spyware, which it calls “Hermit” and also attributes to RCS Labs. Lookout notes that Italian officials used a version of spyware during an anti-corruption investigation in 2019. In addition to victims in Italy and Kazakhstan, Lookout also found data indicating that an unidentified device used the spyware to target northeastern Syria.
“Google has been following the activities of commercial spyware vendors for years, and in that time we have seen the industry expand rapidly from a few vendors to an entire ecosystem,” TAG security engineer Clement Lecigne told WIRED. “These vendors allow the proliferation of dangerous hacking tools, arm governments that would not be able to develop these capabilities internally. But there is little or no transparency in this industry and therefore it is important to share information about these vendors and their options. “
TAG says it currently tracks more than 30 spyware manufacturers offering a range of technical options and levels of sophistication to government-backed customers.
In their analysis of the iOS version, Google researchers found that attackers distributed distributed iOS spyware using a fake app that looked like the “My Vodafone” app from the popular international mobile carrier. In both Android and iOS attacks, attackers may have simply tricked targets into downloading what appeared to be a messaging app by distributing a malicious link that victims could click on. But in some particularly dramatic cases of iOS targeting, Google found that attackers may have worked with local ISPs to disconnect a specific user’s mobile data connection, send them a malicious download link via SMS, and convince them to install the fake My Vodafone app over Wi-Fi with the promise that this would restore their mobile service.
Attackers were able to deploy the malicious app because RCS Labs had registered with Apple’s Enterprise Developer Program, apparently through a shell company called “3-1 Mobile SRL,” to obtain a certificate enabling them to sideload apps without going through Apple’s typical AppStore review process.
Apple tells WIRED that all known accounts and certificates associated with the spyware campaign have been revoked.
“Enterprise certificates are intended for internal use by a company only and are not intended for general app distribution, as they can be used to bypass the App Store and iOS protection,” the company wrote in an October report on page reading. “Despite the program’s tight controls and limited scope, bad actors have found unauthorized ways to access it, for example, by buying corporate certificates on the black market.”