Google has revealed(Opens in a new window) information about a spyware vendor called RCS Labs that, according to the company's Threat Analysis Group (TAG), has been caught targeting people in Italy and Kazakhstan.
TAG says that RCS Labs targeted iOS and Android devices alike with its spyware. "All campaigns TAG observed originated with a unique link sent to the target," TAG says. "Once clicked, the page attempted to get the user to download and install a malicious application on either Android or iOS."
Those malicious links appear to have arrived in two different flavors. TAG says that one masqueraded as an app that could be used to restore the victim's mobile data connection—more on that in a moment—while the other pretended to be some kind of messaging app.
The former only works if someone has actually lost internet access on their phone, of course, and it seems RCS Labs had some assistance in that regard. "In some cases," TAG says, "we believe the actors worked with the target’s ISP to disable the target’s mobile data connectivity."
The attacks then progressed based on what kind of smartphone a target uses. On iPhone, the spyware exploited six different vulnerabilities, two of which TAG says were zero-days. (Google's Project Zero has published(Opens in a new window) an in-depth report on one of those vulnerabilities, CVE-2021-30983.)
RCS Labs took a different approach on Android. TAG says the malicious app, which was designed to look like a legitimate Samsung app, "does not contain any exploits." Instead the group believes RCS Labs used command-and-control infrastructure to remotely download and execute exploits.
Neither of the malicious apps were delivered via the App Store or Google Play Store. Instead, TAG says
Read more on pcmag.com