Spyware: the new threat for Android and iOS comes from Italy

A new spyware danger is hitting Android and iOS devices in Europe and this time it seems that Italy is deeply involved in the wave of attacks, according to what is learned from the latest report published by the researchers of the TAG (Threat Analysis Group) of Google Project Zero.

The spyware in question has its origins from RCS Labs, an Italian company which deals with selling surveillance services for law enforcement and not only, which would have created a malware capable of compromising the smartphone of the victims and providing complete access to the data inside the attacker. According to the Google document, the attacks would have been carried out against some Italian and Kazakhstan users.

THE ATTACK MODES

The Google report also goes into the detail of attack methods used by the RCS Labs tool. It all begins with an invitation to the victim to consult a forged web page, which indicates that one of their accounts has been suspended and that a recovery procedure must be performed in order to regain access.

Below you can find an example image showing what this page looks like. In the case illustrated, the main services connected to Meta are mentioned, namely Facebook, Instagram and WhatsApp and everything is presented in a web screen that incorporates fonts and colors that can be easily associated with Facebook.

As can be seen from the text, the user is required to download an application to proceed with the recovery of the account. For the victims on Android the process is much simpler and more effective, as the installation of the malicious app takes place without any particular obstacle, since the system natively supports the possibility of install APK files from sources outside the store.

Once the procedure is finished, the app in question has free access to many aspects of the smartphonesince the required permissions include monitoring the status of the network, accessing the victim’s contacts, account data and reading any external memories present.

As for iOS, the procedure is more complicatedas it consists of convincing the victim to install a company certificate particular before carrying out the application sideloading in question. If the procedure is successful, it exploits six different flaws in the operating system to access the information on the smartphone; four of these use community-created code related to jailbreaking, as they are used to bypass verification processes to access full root permissions.

Nevertheless, the impact of spyware on iOS is significantly less than on Androidas apps run in a sandbox that severely limits interactions with other applicationstherefore it is not possible to directly steal the information contained in the others.

THE DANGER HAS NOT ENDED

The publication of this information by Google Project Zero was accompanied by a warning message against the RCS Labs tool, as the exploits used have not yet been completely corrected and therefore it is still possible to execute attacks or fall victim to them.

Google intervened by blocking some Firebase projects through some changes introduced on Google Play Protect, while it is unclear whether Apple has already rendered the certificate that makes the app possible to install unusable. In any case, it is always good to be careful when it is suggested to install applications outside the stores.

Surely Apple will take events like this as an example to support the validity of his position opposed to the opening of iOS and iPadOS the possibility of installing applications from unknown sources – as already reiterated in a recent defense -, since its operating systems are much more difficult to hit with attacks of this kind.