Google has warned of foreign governments using spyware to hack Apple and Android phones and track users’ movements.
Google and security firm Lookout have revealed that the offensive ‘spyware’ – software used to steal information from a device – was created by Milan-based company RCS Lab.
RCS Lab spyware has reportedly been used by the Italian and Kazakhstani governments to spy on private messages and contacts stored on the smartphones of their citizens.
However, spyware is also potentially capable of spying on the victim’s browser, camera, address book, clipboard and chat apps.
RCS Lab is an example of a ‘legitimate interception’ company that claims to sell only to customers with legitimate uses for surveillance, such as intelligence and law enforcement agencies.
But in reality, such tools are often misused to spy on business executives, human rights activists, journalists, academics and government officials under the guise of national security, say security experts.
Spyware is a specific type of malware that steals information from a computer and sends it to a third party without the person’s knowledge (file photo)
It is believed that RCS Lab’s spyware, nicknamed ‘Hermit’, is distributed through SMS messages that come from legitimate sources.
spyware and malware
Spyware is a specific type of malware that steals information from a computer and sends it to a third party without the knowledge of the individual.
Spyware collects your personal information and gives it to advertisers, data firms or external users.
Meanwhile, malware is a catch-all term for any type of malicious software, regardless of how it works, its intention, or how it is distributed.
The term includes adware, spyware, virus, trojan, and more.
Source: Norton Security
It tricks users into looking like legitimate webpages of high-profile brands as it kickstarts malicious activities in the background.
In some cases, SMS messages were sent asking citizens to install an application to fix their slow mobile connectivity – when in fact, spyware was installed.
In these cases, the attackers managed to slow down their connectivity to the victim’s Internet Service Provider (ISP), Google said, making it appear like a legitimate message.
In other cases, citizens were sent links to a webpage that posed as a high-profile tech company, such as Facebook.
As an example, Google posted a screenshot from one of the attacker-controlled sites, www.fb-techsupport.com, intended to impersonate Facebook’s support team (the webpage no longer exists).
In Italian, it told victims that their accounts had been suspended and they needed to download an application to restore the account.
Google said it has taken steps to protect users of its Android operating system and alerted them to spyware.
Apple and the governments of Italy and Kazakhstan did not immediately respond to requests for comment.
Screenshot posted by Google, which translates from Italian: ‘Suspended account reset. Download and install following on-screen instructions to verify and restore your suspended account. You will receive an unlock confirmation SMS at the end of the process.
Google said the commercial spyware industry is ‘growing’ and ‘growing at a significant rate’ – a trend that ‘all Internet users should be concerned with’.
How is spyware installed?
In some cases, Google said it believed hackers using RCS spyware worked with the target’s Internet Service Provider (ISP).
This method originated from a unique link sent to the target.
Once clicked, the page tried to trick the user into downloading and installing a malicious application on Android or iOS.
In some cases, the actors possibly worked with the target’s ISP to disable the target’s mobile data connectivity.
Once disabled, the attacker will send a malicious link via SMS asking the target to install an application to recover its data connectivity.
This is the reason why most of the applications come across as mobile carrier applications.
When ISP involvement was not possible, the application is disguised as a messaging application.
“These vendors are enabling the proliferation of dangerous hacking tools and arming governments that would not be able to develop these capabilities in-house,” Benoit Sevens and Clement Lesigne of Google’s Threat Analysis Group said in a blog post. ”
‘While the use of surveillance techniques may be legal under national or international laws, it is often found that they are used by governments for purposes contrary to democratic values - including dissidents, journalists, human rights activists and opposition politicians. to target.
On its website, RCS Lab claims European law enforcement agencies as some of its clients and describes itself as a manufacturer of ‘legitimate interception’ technologies and services, including voice, data collection and ‘tracking systems’.
It says it handles 10,000 intercepted targets daily in Europe alone.
In response to Google’s findings, RCS Lab said its products and services comply with European regulations and help law enforcement agencies investigate crimes.
It told Reuters, “RCS Lab personnel are not exposed, nor participate in any activity conducted by concerned customers,” adding that it condemned any misuse of its products.
Google published its blog post on Thursday, weeks after San Francisco-based Lookout detailed its own findings.
According to Lookout, RCS Lab spyware has been used by the government of Kazakhstan within its borders and by Italian authorities in an anti-corruption campaign in 2019.
“We also found evidence that an unidentified actor used it in northeastern Syria, a predominantly Kurdish region that has been the center of several regional conflicts,” Lookout said.
Google also found that RCS Lab had previously collaborated with the controversial, defunct Italian spy firm Hacking Team, which similarly created surveillance software for foreign governments to tap into phones and computers.
The hacking team was busted in 2015 after falling victim to a major hack that led to the disclosure of several internal documents.
The new findings at RCS Lab come as European and US regulators weigh potential new regulations on the sale and importation of spyware.
The global industry producing spyware for governments is growing, with more and more companies developing interception tools for law enforcement organizations.
Anti-surveillance activists accuse them of aiding governments, in some cases using such tools to crack down on human rights and civil rights.
Concern over spyware Media outlets reported last year that Israeli firm NSO’s Pegasus tools had been used by governments to spy on journalists, activists and dissidents.
Lookout says that sellers of so-called ‘legitimate intercept’ spyware, such as RCS Lab and NSO, usually only claim to sell to entities that have a legitimate use for surveillance such as those fighting organized crime or terrorism. Police Force. However, there have been several reports of spyware abuse, especially in recent years (file photo)
Mobile cyber security specialist Lookout said of companies like NSO and RCS Lab, “They claim to sell only to customers who have legitimate uses of surveillanceware such as intelligence and law enforcement agencies.”
‘Indeed, such tools have often been misused to spy on business executives, human rights activists, journalists, academics and government officials under the guise of national security.’
Bill Markzak, a security researcher at digital watchdog Citizen Lab, said that although RCS Lab’s tool may not be as stealthy as Pegasus, it can still read messages and view passwords.
“This shows that even though these tools are ubiquitous, there is still a long way to go to secure them against these powerful attacks,” Markjak said.
Pegasus: how powerful spyware works to hack journalists
Pegasus is a powerful piece of ‘malware’ – malicious computer software – developed by the Israeli security firm NSO Group.
This particular form of malware is known as ‘spyware’, which means it is designed to collect data from an infected device without the owner’s knowledge and forward it to a third party.
While most spyware is limited in scope – harvesting data only from specific parts of an infected system – Pegasus appears much more powerful, allowing its controller unlimited access and control over an infected device.
This includes access to contact lists, email, and text messages, along with stored photos, videos, and audio files.
The Pegasus can also be used to control the phone’s camera or microphone to record video and audio, and access GPS data to check where the phone’s owner is.
And it can also be used to record any new incoming or outgoing phone calls.
Early versions of virus-infected phones used crude ‘phishing’ attacks in which users were prompted to download viruses to their phones by clicking on malicious links sent via text or email.
But researchers say software has become too sophisticated, exploiting vulnerabilities in common phone apps to launch so-called ‘zero-click’ attacks, which can infect devices without the user doing anything.
For example, in 2019 WhatsApp revealed that 1,400 people were infected by NSO Group software using a so-called ‘zero day’ fault – a previously unknown error – in the app’s call function.
Users were infected when a call was made on their phone via WhatsApp, whether they answered the call or not.
More recently, NSO has begun to exploit vulnerabilities in Apple’s iMessage software, giving it backdoor access to millions of iPhones.
Apple says it is constantly updating its software to prevent such attacks, although human rights group Amnesty says it has uncovered successful attacks on even the most up-to-date iOS systems.
NSO Group says Pegasus can also be installed on devices using wireless transceivers located near the target, or booted directly to the device if the first is stolen.
