Google: How we slowed down this iPhone, Android spyware


Spyware developed by Italian company RCS Labs has been used to attack cellphones in Italy and Kazakhstan – in some cases with the assistance of victims’ cellphone operators, according to Google’s Threat Analysis Group (TAG).

According to the provider’s website, RCS Labs’ customers include law enforcement agencies worldwide. It’s one of more than 30 companies tracked by Google researchers that sell exploits or monitoring capabilities to government-backed groups. And we have been told that this particular spyware runs on both iOS and Android phones.

We understand that this particular spyware campaign was from RCS documented last week by Lookout, who dubbed the toolkit “Hermit.” We’re told it may be able to spy on victims’ chat apps, camera and microphone, contact book and calendars, browser and clipboard, and beam that information back to base. Italian authorities are said to have used this tool to fight corruption cases, and the Kazakh government also got its hands on it.

On Thursday of this week, TAG revealed its analysis of the software and how it helped bring down the infection.

According to Google employees Benoit Sevens and Clement Lecigne, some victims were sent text messages asking them to install an application to fix their mobile data connection. This app actually infected the device with RCS spyware. It appears that the snoopers using the monitoring tool tricked the victims’ carriers into interfering with their wireless internet connection, thereby convincing the perpetrators to run the app.

“We believe this is why most applications were masquerading as mobile operator applications,” Sevens and Lecigne explained.

In cases without telecom assistance, the spies sent a link to a page offering malicious applications masquerading as Facebook parent Meta’s legitimate messaging apps. Running these programs infected the device with spyware.

Downloading and running the app on iOS required a few extra steps due to the operating system’s security measures: for one, the app wasn’t from the official app store and therefore would normally be rejected. Instead, the snoopers followed Apple’s instructions on how to do it to distribute proprietary in-house apps for iThings, according to the Google bug hunters.

This allowed the rogues to produce an app that was digitally signed by a company registered with the Apple Developer Enterprise Program, and importantly one that could be installed on a victim’s device by tricking them into downloading it download and run from a website.

The iPhone app itself contains several parts, including a privilege escalation exploit to escape from the sandbox it runs in, along with an agent capable of stealing files from iOS devices. In their analysis, Sevens and Lecigne analyzed an app with exploit code for the following vulnerabilities:

That’s what the security researchers say CVE-2021-30883 and CVE-2021-30983 were zero-day exploits and Project Zero released a technical analysis of the latter.

Android Deployment

Meanwhile, the installation process on Android worked as follows: first, the victim is sent a link to a webpage that trickes them into downloading and installing a malicious app that looks like a legitimate Samsung application, which opens one on launch web view which displays a legitimate website related to the icon.

Once installed, it requests permissions, uses messaging services like Firebase Cloud Messaging and Huawei Messaging Service for command-and-control communications, and then engages in spying and data theft business.

It may also be able to download additional malware, the researchers warn. “While the APK itself does not contain any exploits, the code suggests the presence of exploits that could be downloaded and run,” write Sevens and Lecigne.

They also listed several hashes of executable files, domains used to distribute the code, and command-and-control domains and IP addresses whose presence in logs could indicate a compromised device.

Google has notified all known Android victims, made changes in Google Play Protect to block RCS code execution, and disabled the Firebase project used for command-and-control communications, we’re told. That should hopefully pull the plug for now.

“This campaign is a good reminder that attackers don’t always use exploits to gain the necessary permissions,” added Sevens and Lecigne. “Basic infection vectors and drive-by downloads still work and can be very efficient with the help of local ISPs.” ®

Source link

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.