Android and iOS users in Europe were tricked into installing a malicious app that would then steal personal information from devices.
According to Google’s Project Zero report, which was released on Thursday, the company is conducting an ongoing investigation into commercial spyware vendors.
RCS Labs, an Italian firm, was identified as a suspect by the business as a whole. According to Google, this “drive-by download attack” reportedly targets users in Italy and Kazakhstan.
To gain access to their account or services, the victim will receive a message stating that they have been locked out and must use the provided link to sign in again. Malicious actors sent links to malicious software that appeared to be notifications from their ISP or messaging apps.
Genuine looking logos and account reset prompts were displayed on the linked site before links to download malware were hidden behind official-looking buttons and icons. A fake Samsung website was one of several variations of the app used in the campaign that was installed.
In the Android version, an.apk file was used. It was not necessary for actors to persuade victims to install a special certificate as Android apps could be freely downloaded from anywhere. As a result, attackers had access to network status, user credentials, contact information, and the ability to read external storage devices from Android devices.
Those who were using iOS were then asked to install an enterprise certificate. If the user followed the procedure, a properly signed certificate allowed a malicious app to circumvent App Store protection after sideloading.
To gain access to a user’s personal information, the iOS version of the malicious application used six different system exploits. To bypass Apple’s verification layer and gain full root access, the jailbreaking community took four different exploits.
Due to iOS sandboxing, only a limited amount of data could be recovered. Data such as WhatsApp’s local database can be retrieved from victims, but sandboxing prevented this app from directly interfacing and stealing other apps’ data.
Many Android users have received warnings from Google about this campaign. While Google Play Protect and some Firebase projects used by attackers have been disabled, other Google services have also been replaced. Whether Apple has invalidated the certificate is unknown.
To protect themselves from this type of attack, iOS and iPadOS device owners should not install certificates outside their company. If a user has any questions about a call-to-action made through the messaging service, it is also a good practice for them to contact the company directly using clear methods of communication established prior to messaging.
ALSO READ: Facebook aims to make Meta Pay the default payment method for Metaverse and NFT
