Google: How we tackled this iPhone, Android spyware

Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims’ cellular network providers, according to Google’s Threat Analysis Group (TAG).

RCS Labs customers include law-enforcement agencies worldwide, according to the vendor’s website. It’s one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we’re told this particular spyware runs on both iOS and Android phones.

We understand this particular campaign of espionage involving RCS’s spyware was documented last week by Lookout, which dubbed the toolkit “Hermit.” We’re told it is potentially capable of spying on the victims’ chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It’s said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

On Thursday this week, TAG revealed its analysis of the software, and how it helped dismantle the infection.

According to Googlers Benoit Sevens and Clement Lecigne, some targets were sent text messages asking them to install an application to fix their mobile data connectivity. This app in fact infected the device with RCS’s spyware. It appears the snoops using the surveillance tool got the victims’ cellular providers to degrade their wireless internet connectivity, thus convincing the marks to run the app.

“We believe this is the reason why most of the applications masqueraded as mobile carrier applications,” Sevens and Lecigne explained.

In cases without any telco help, the spies sent a link to a page offering malicious applications masquerading as legit messaging apps from Facebook parent Meta. Running these programs infected the device with spyware.

Getting the app to download and run on iOS needed some extra steps due to the security measures in the operating system: for one thing, the app wasn’t coming from the official App Store and thus would normally be rejected. The snoops instead followed Apple’s notes on how to distribute proprietary in-house apps to iThings, according to the Google bug hunters. 

This allowed the miscreants to produce an app digitally signed by a company enrolled in the Apple Developer Enterprise Program, and crucially, one that could be installed on a victim’s device by getting them to fetch and run it from a webpage.

The iPhone app itself contains multiple parts, including a privilege-escalation exploit to escape from the sandbox in which it is run, along with an agent that can steal files from iOS devices. In their analysis, Sevens and Lecigne analyzed an app with exploit code for the following vulnerabilities:

The security researchers said CVE-2021-30883 and CVE-2021-30983 were zero-day exploits, and Project Zero published a technical analysis of the latter.

Android deployment

Meanwhile, on Android, the installation process worked like this: first, the victim is sent a link to a webpage that tricks them into fetching and installing a malicious app that looks like a legitimate Samsung application that, when launched, opens a webview that displays a legitimate website related to the icon.

Once installed, it requests permissions, uses messaging services such as Firebase Cloud Messaging and Huawei Messaging Service for command-and-control communications, and then gets on with the business of espionage and data theft. 

It may be able to download additional malware as well, the researchers warn. “While the APK itself does not contain any exploits, the code hints at the presence of exploits that could be downloaded and executed,” Sevens and Lecigne wrote.

They also listed several hashes of excecutables, domains used to distribute the code, and command-and-control domains and IP addresses the presence of which in logs could indicate a compromised device.

Google notified all of the known Android victims, made changes in Google Play Protect to block the RCS code from running, and disabled the Firebase project used for command-and-control communications, we’re told. That should hopefully pull the plug on it for now.

“This campaign is a good reminder that attackers do not always use exploits to achieve the permissions they need,” Sevens and Lecigne added. “Basic infection vectors and drive-by downloads still work and can be very efficient with the help from local ISPs.” ®

READ MORE HERE