The trail that links a dangerous spyware to Italy

The trail that links a dangerous spyware to Italy

Notorious spyware company Nso group told a European Parliament special committee this week that at least five European Union (EU) countries have used the company's powerful surveillance malware, Pegasus. As more and more details emerge about Nso's product abuse around the world, however, researchers are also trying to raise awareness of how the paid surveillance industry extends far beyond a single company. On Thursday, June 23, Google - specifically the Threat Analysis Group (Tag) and Project Zero, the company's vulnerability analysis team - released two reports reporting findings on the iOS version of a spyware attributed to the company. italiana RCS Labs.

Google researchers report that they have identified several victims of spyware on Android and iOS devices in Italy and Kazakhstan. Last week, security company Lookout released a report on the Android version of the spyware, which it renamed "Hermit" and in turn traced it back to RCS Labs. Lookout highlights how Italian authorities used a version of the spyware during a 2019 anti-corruption investigation. In addition to the victims in Italy and Kazakhstan, Lookout also found data indicating that an unidentified organism used spyware in northeastern Syria.

"Google has been following the activities of companies that sell commercial spyware for years. In this period we have seen the sector expand rapidly, from a few suppliers to an entire ecosystem - the cybersecurity engineer explains to US by Tag Clement Lecigne - These companies allow the proliferation of dangerous hacking tools, arming governments that would not be able to develop these capabilities internally. In this sector, however, there is little or no transparency, which is why it is essential to share information. about these companies and their capabilities ".

Tag reports that it currently monitors over thirty spyware manufacturers, offering a wide range of technical capabilities and high levels of sophistication to sustained customers by governments.

The attacks In analyzing the iOS version, Google researchers found that attackers distributed spyware using an app fake cation that they passed off as My Vodafone, the app of the popular mobile operator. In both Android and iOS attacks, attackers may have simply tricked targets into downloading what appeared to be a messaging app, distributing a malicious link for victims to click on. But in some particularly severe cases of iOS attacks, Google found that attackers may have partnered with local internet providers to cut a particular user's data connection, send them a malicious link via text message, and convince them to install the fake My Vodafone app. via wi-fi, with the promise that doing so would restore cellular service.

WiredLeaks, how to send us an anonymous report The attackers were able to distribute the fictitious app as RCS Labs had registered with the Enterprise Apple's Developer Program, apparently through a shell company called 3-1 Mobile Srl, obtaining a certificate that allowed it to upload its own apps without going through the normal AppStore review process.

Apple has reported to US that they have revoked all known accounts and certificates associated with the spyware attack campaign.

"I certify ti [of the Enterprise Developer Program, ed.] are intended solely for internal use by a company and not for the general distribution of apps, as they can be used to circumvent the protections of the App Store and iOS - it reads a report released in October by the company -. Despite the tight controls and limited scale of the program, attackers have found unauthorized ways to access it, for example by purchasing certificates on the black market. "

Ian Beer, who is part of Project Zero, has conducted a Technical analysis of exploits used by RCS Labs' iOS malware. Beer noted that the spyware uses a total of six exploits to gain access and monitor the victim's device. Five of these were known exploits affecting older versions of iOS, the sixth exploit was an unknown vulnerability at the time of discovery (Apple released a patch in December). The exploit took advantage of structural changes in data flow between new generations of Apple "coprocessors" in a phase in which the company, and the sector in general, is moving towards the all-in-one design known as "system-on-a-chip".

The evolution of the industry of surveillance See i more Choose the newsletters you want to receive and subscribe! Weekly news and commentary on conflicts in the digital world, sustainability or gender equality. The best of innovation every day. It's our new newsletters: innovation just a click away.

Arrow While the exploit's level of sophistication isn't unprecedented, Google researchers point out that Rcs Labs spyware reflects a broader trend that sees the paid surveillance industry combining existing hacking techniques and exploits with newer elements.

"The commercial surveillance industry benefits from and reuses research from the jailbreaking community. In this case, three exploits on six come from public exploits designed for jailbreaking [the forced removal of restrictions on an Apple device, ed.] - explains Tag member Benoit Sevens -. We also see other surveillance companies reusing techniques and infection vectors exploited and initially discovered by groups cybercriminals. And as with other attackers, surveillance companies not only use sophisticated exploits to lure their victims into even social engineering attacks ".

The new information released by Google shows how, although not all actors can count on the success or notoriety of a company like Nso, many small and medium-sized operators in a booming industry are creating real risks for internet users around the world.

This article originally appeared on US.

Powered by Blogger.