at the hearing Notorious spyware vendor NSO Group told European lawmakers this week that at least five EU countries use its powerful Pegasus surveillance malware. But as more people learn about the reality of how NSO’s products are being abused around the world, researchers are also working to raise awareness that the employment surveillance industry extends far beyond one company.On Thursday, Google’s Threat Analysis Group and Project Zero Vulnerability Analysis Team releaseedit Find About the iOS version of the Italian developer RCS Labs’ spyware product.
Google researchers say they have detected spyware victims on both Android and iOS devices in Italy and Kazakhstan. Last week, the security firm Lookout Published findings Regarding the Android version of the spyware, it’s called “Hermit,” and it’s also owned by RCS Labs. Lookout noted that Italian officials Version using spyware in the 2019 anti-corruption investigation. In addition to victims located in Italy and Kazakhstan, Lookout also found data indicating that an unidentified entity was using the spyware to target northeastern Syria.
“Google has been tracking the activities of commercial spyware vendors for years, and during that time, we’ve seen the industry rapidly expand from a handful of vendors to an entire ecosystem,” TAG security engineer Clement Lecigne told Wired. “These vendors have contributed to the proliferation of dangerous hacking tools, arming governments that cannot develop these capabilities in-house. But there is little transparency in this industry, which is why sharing information about these vendors and their capabilities is critical.”
TAG said it currently tracks more than 30 spyware makers that offer a range of technical capabilities and levels of sophistication to government-backed customers.
In an analysis of the iOS version, Google researchers found that attackers were distributing iOS spyware using a fake app that looked like the My Vodafone app from the popular international mobile carrier. In Android and iOS attacks, attackers may simply trick the target into downloading what appears to be a messaging app by distributing malicious links for victims to click. But in some particularly high-profile cases of iOS targeting, Google found that attackers may have been working with local ISPs to cut off specific users’ mobile data connections, send them malicious download links via SMS, and convince them to install fake My The Vodafone app goes over Wi-Fi and promises this will restore their phone service.
The attackers were able to distribute the malicious apps because RCS Labs apparently registered with Apple’s Enterprise Developer Program through a shell company called 3-1 Mobile SRL to get a license that would allow them to go through Apple’s typical AppStore review process. In case of sideloading the application’s certificate.
All known accounts and certificates associated with the spyware activity have been revoked, Apple told WIRED.
“Enterprise certificates are for internal company use only and not for general app distribution, as they can be used to circumvent App Store and iOS protections,” the company wrote in an October report. Report About sideloading. “Despite the tight control and limited scale of the program, bad actors have found ways to gain unauthorized access, such as by purchasing enterprise certificates on the black market.”