In hearings this week, the famous NSO group of spyware providers told European lawmakers that at least five EU countries have used their powerful Pegasus malware surveillance software. But as the reality of how NSO products have been abused around the world comes to light, researchers are also working to raise awareness that the rental surveillance industry goes far beyond company. On Thursday, Google’s threat analysis group and Project Zero vulnerability analysis team released results on the iOS version of a spyware product attributed to Italian developer RCS Labs.
Google researchers say they found victims of spyware in Italy and Kazakhstan on both Android and iOS devices. Last week, security company Lookout released the findings on the Android version of the spyware, which it calls “Hermit” and which it also attributes to RCS Labs. Lookout notes that Italian officials used a version of spyware during an anti-corruption investigation in 2019. In addition to the victims located in Italy and Kazakhstan, Lookout also found data indicating that an unidentified entity used spyware to target in the northeast of Syria.
“Google has been tracking the activities of commercial spyware vendors for years, and during that time we’ve seen the industry expand rapidly from a few vendors to an entire ecosystem,” he told WIRED l TAG security engineer Clement Lecigne. “These vendors are allowing the proliferation of dangerous tools of piracy, arming governments that could not develop these capabilities internally. But there is little or no transparency in this industry, so it is critical to share information about these vendors and their capabilities.”
TAG says it currently tracks more than 30 spyware manufacturers that offer a variety of technical capabilities and levels of sophistication to government-backed customers.
In their analysis of the iOS version, Google researchers found that the attackers were distributing iOS spyware through a fake application designed to resemble the My Vodafone application of the popular international mobile operator. In both Android and iOS attacks, attackers may have tricked their targets into downloading what appeared to be a messaging app by distributing a malicious link for victims to click. But in some particularly dramatic iOS targeting cases, Google found that attackers may have been working with local ISPs to cut off a specific user’s mobile data connection, send them a malicious SMS download link, and convince them them to install the fake My Vodafone application. via Wi-Fi with the promise that this would restore your mobile service.
The attackers were able to distribute the malicious application because RCS Labs had registered with Apple’s Business Development Program, apparently through a shell company called 3-1 Mobile SRL, to obtain a certificate that would allow them to upload applications without going through the typical review process of the Apple AppStore.
Apple tells WIRED that all known accounts and certificates associated with the spyware campaign have been revoked.
“Company certificates are intended for internal use of a company only and are not intended for general application distribution, as they may be used to circumvent App Store and iOS protections,” the company in an October report on side loading. “Despite strict controls and the limited scale of the program, bad actors have found unauthorized ways to access it, for example, by buying company certificates on the black market.”
