iPhone users targeted by Italian spyware, says new report

iPhone users targeted by Italian spyware, says new report

“Today, alongside Google’s Project Zero, we are detailing capabilities we attribute to RCS Labs, an Italian vendor that uses a combination of tactics, including atypical drive-by downloads as initial infection vectors, to target mobile users on both iOS and Android. “

What you need to know

A new report says iOS users have been targeted by spyware.
Google says an Italian company used spyware to target victims in Italy and Kazakhstan.
Apple has reportedly revoked all known accounts and certificates associated with the campaign.

A new report claims an Italian-based company’s spyware has been used to target iPhone users in Italy and Kazakhstan.

In a report from Google’s Threat Analysis Group the company writes:

Today, alongside Google’s Project Zero, we are detailing capabilities we attribute to RCS Labs, an Italian vendor that uses a combination of tactics, including atypical drive-by downloads as initial infection vectors, to target mobile users on both iOS and Android. We have identified victims located in Italy and Kazakhstan.

The campaign used a unique link sent to a target, which would attempt to get users on both Android and iOS to install a malicious app, and in some cases working with the target’s mobile carrier to disable their data, before then sending a similar malicious link via SMS in order to “fix” the issue.

iOS users were also targeted with a “drive-by exploit”:

To distribute the iOS application, attackers simply followed Apple instructions on how to distribute proprietary in-house apps to Apple devices and used the itms-services protocol with the following manifest file and using com.ios.Carrier as the identifier.

The company was able to satisfy Apple’s iOS code signing requirements by enrolling in Apple’s Developer Enterprise Program, such apps can be sideloaded onto devices and don’t need to be installed by Apple’s App Store.

Apple told Reuters that the company has revoked all known accounts and certificates associated with the hacking campaign, indicating it should hopefully not be a threat to other users going forward. Apple has also patched the exploits in iOS 15.

RCS Lab told the outlet it had no connection to the activities of any of its customers, in a defense similar to that used by NSO over its own Pegasus spyware scandal. RCS Lab sells its spy tools to other agencies, listing European law enforcement agencies amongst its clients. As noted, many of these attacks against victims were carried out in conjunction with their ISPs, suggesting an official connection between those internet service providers or carriers and agencies using the spyware.

Leave a Reply

Your email address will not be published.