At least five EU countries have employed the potent Pegasus spying software, according to testimony this week from the infamous spyware vendor NSO group.
Google Warns Users on Spywares Targeting Android and iOS Devices
According to researchers, they are striving to spread awareness of the surveillance-for-hire sector, which has grown much larger than just one corporation. This is becoming more important now as more information about the realities of how NSO's technologies have been misused around the world comes to light.
The iOS version of a spyware program allegedly created by the Italian company RCS Labs was the subject of research revealed on Thursday, June 23, by Google's Threat Analysis Group and Project Zero vulnerability analysis team.
According to Google researchers, both Android and iOS devices in Italy and Kazakhstan have spyware victims. The security company Lookout disclosed discoveries last week on the spyware for Android, which it labels "Hermit" and also credits to RCS Labs.
According to Lookout, Italian officials utilized the malware during a 2019 anti-corruption investigation. Lookout discovered data showing that an unidentified party utilized the spyware to target northeastern Syria in addition to victims in Italy and Kazakhstan.
TAG also noted that it presently keeps tabs on more than 30 spyware developers who provide clients with government backing with a range of technical skills and levels of sophistication.
Spyware Mimics Applications, Messaging Apps
The iOS spyware was delivered by attackers using a fake software that was designed to resemble the My Vodafone app from the well-known worldwide mobile carrier, according to Google experts who examined the iOS version. Attackers may have simply distributed a malicious link for victims to click in both Android and iOS attacks to deceive targets into downloading what seemed to be a messaging app. However, Google discovered that in some more extreme incidents of iOS targeting, attackers may have cooperated with regional ISPs to disconnect a particular user's mobile data connection, give them a malicious download link over SMS, or perform other similar actions.
Attackers were able to spread the malicious app because RCS Labs had signed up for Apple's Enterprise Developer Program, ostensibly through a front company called 3-1 Mobile SRL, in order to obtain a certificate that enables sideloading apps without going through Apple's standard AppStore review process. Apple claims to have canceled all of the known accounts and certificates linked to the spyware attack.
Technical investigation of the RCS Labs iOS malware's exploits was done by Project Zero member Ian Beer. He points out that a total of six exploits are used by the spyware to access a victim's device and spy on it. Sixth was an undiscovered vulnerability when it was found, while the other five are known and widely used exploits for prior iOS versions. This exploit took advantage of structural changes in how data flows between Apple's new generations of "coprocessors" as the business and the industry as a whole push toward the all-in-one "system-on-a-chip" design (Apple addressed that vulnerability in December).
Although the exploit is not particularly sophisticated, Google researchers point out that it is representative of a larger trend in which the surveillance-for-hire market mixes existing technologies.