Posted on June 24, 2022 at 7:34 PM
Alphabet Inc’s Google has reported that the Android and Apple smartphones in Kazakhstan and Italy were targeted by hackers using Italian hacking tools.
The spyware was developed by RCS Lab, which claimed that its clients are European law enforcement agencies. The tools were developed to spy on contacts and private messages of the targeted devices.
The report comes when American and European regulators are considering placing new rules that will limit the sale and importation of spyware.
In a statement, Google noted that the vendors are enablers of the distribution of dangerous hacking tools and equipping state actors that cannot develop the capabilities in-house.
The governments of Kazakhstan and Italy have not responded to requests for comment. But an Apple spokesperson stated that all certificates and accounts linked to the hacking activities have been revoked by the company.
In response to the development, RCS Lab stated that its products and services are per European rules. The spokesperson added that the company is ready to assist law enforcement agencies investigate the incident. RCS Lab stated that its personnel are not impacted by the attack
Google Protects Users From The Attack
Google says it had taken steps to offer more protection to users against the malware operation. The tech giant explained that it has provided improved security to the users and alerted them about the spyware.
The global spyware manufacturing industry for the government has been expanding in the number of participants. More companies are now developing tools for law enforcement agencies. Already, anti-surveillance activists have started accusing these manufacturers of aiding the government sometimes using the tools to crack down on civil rights and human rights. They have been accused of aiding the government to increase their spying on citizens.
The industry generated a lot of controversies when several governments spied on dissidents, journalists, and activities using surveillance spyware developed by Israeli surveillance company NSO Pegasus.
The Malware Has Several Capabilities
A security researcher with Citizen Lab Bill Marczal stated that RCS tools are not as stealthy as that of Pegasus. But he noted that it still has the capability of reading messages and new passwords. This means that although the devices are very helpful and available everywhere, manufacturers and users still have a long way to go when it comes to making them resistant to strong attacks.
RCS, on its website, stated that it manufactures ‘lawful interception’ technologies and services such as tracking, data collection, and voice systems. The company stated that it takes care of 10,000 intercepted targets daily in Europe alone.
Also, researchers at Google discovered that RCS Labs has initially partnered with the notorious and defunct Hacking Team. In the past, the group has designed surveillance software to enable foreign governments to gain access to computers and mobile accessories. The group was dismantled after it was heavily by malware in a major attack in 2015. It led to the disclosure of several secrets and internal documents.
Google researchers stated that some hackers are using the RCS spyware to partner with the targets’ internet service provider (ISP). This shows that the company could be affiliated with state-backed threat actors. Also, there is evidence that Hermit was utilized in the highly populated Kurdish region of Syria. Based on the analysis of the malware, the threat actor can deploy it to gain control of smartphones and record audio. Additionally, it can collect data and redirect calls, take photos, and do a lot of things on the victim’s device.
The Threat Actors Have Links With The Target’s ISP
The researchers at Google and Lookout are partnering to discover more about the malware and the different ways threat actors can use it on their targets. They noted that the spyware is distributed by getting users to click on links in messages sent to targets.
In a joint statement, the researchers believe that the hackers are collaborating with the target’s ISP to disable their mobile data connectivity. Once they succeed in disabling the connection, the threat actor could distribute a malicious link through SMS and deceive the target into installing an app to help them recover their connection.
But this is intended to get the user to install and give access to the spyware. And in some cases, it pretends to be from the target’s phone maker with the same aim of tricking the user into downloading the malware, the researchers stated.