Google has warned of spyware being used by foreign governments to hack into Apple and Android phones and snoop on users’ activities.
The offending ‘spyware’ – software that steals information from a device – was created by Milan-based company RCS Lab, Google and security firm Lookout have revealed.
RCS Lab spyware has allegedly been used by the Italian and Kazakhstani governments to spy on private messages and contacts stored on their citizens’ smartphones.
However, the spyware is potentially capable of spying on a victim’s browser, camera, address book, clipboard and chat apps too.
RCS Lab is an example of a ‘lawful intercept’ company that claims to only sell to customers with legitimate use for surveillance, such as intelligence and law enforcement agencies.
But in reality, such tools have often been abused under the guise of national security to spy on business executives, human rights activists, journalists, academics and government officials, security experts say.
Spyware is a specific type of malware that steals information from a computer and sends it to a third party, without the person’s knowledge (file photo)
It’s thought RCS Lab’s spyware, nicknamed ‘Hermit’, is distributed via SMS messages that appear to come from legitimate sources.
SPYWARE AND MALWARE
Spyware is a specific type of malware that steals information from a computer and sends it to a third party, without the person’s knowledge.
Spyware gathers your personal information and relays it to advertisers, data firms, or external users.
Meanwhile, malware is a catch-all term for any type of malicious software, regardless of how it works, its intent, or how it’s distributed.
The term includes adware, spyware, viruses, trojans and more.
Source: Norton Security
It tricks users by serving up what looks like legitimate webpages of high-profile brands as it kickstarts malicious activities in the background.
In some cases, citizens were sent SMS messages asking them to install an application to fix their slow mobile connectivity – when in fact, doing so installed the spyware.
In these cases, attackers managed to get the victim’s internet service provider (ISP) to slow down their connectivity, Google said, to make it seem like a legitimate message.
In other cases, citizens were sent links to a webpage that was masquerading as a high profile tech company, such as Facebook.
As an example, Google posted a screenshot from one of the attacker controlled sites, www.fb-techsupport.com, intended to impersonate Facebook’s support team (the webpage no longer exists).
In Italian, it told victims that their accounts had been suspended and they needed to download an application to restore the account.
Google said it had taken steps to protect users of its Android operating system and alert them about the spyware.
Apple and the governments of Italy and Kazakhstan did not immediately respond to requests for comment.
Screenshot posted by Google, which translates from Italian as: ‘Suspended account reset. Download and install, following the instructions on the screen, the application for verifying and restoring your suspended account. At the end of the procedure you will receive an unlock confirmation SMS’
Google said the commercial spyware industry is ‘thriving’ and ‘growing at a significant rate’ – a trend that ‘should be concerning to all internet users’.
HOW IS THE SPYWARE INSTALLED?
In some cases, Google said it believed hackers using RCS spyware worked with the target’s internet service provider (ISP).
This method originated with a unique link sent to the target.
Once clicked, the page attempted to get the user to download and install a malicious application on either Android or iOS.
In some cases, actors likely worked with the target’s ISP to disable the target’s mobile data connectivity.
Once disabled, the attacker would send a malicious link via SMS asking the target to install an application to recover their data connectivity.
This is the reason why most of the applications masqueraded as mobile carrier applications.
When ISP involvement was not possible, applications are masqueraded as messaging applications.
‘These vendors are enabling the proliferation of dangerous hacking tools and arming governments that would not be able to develop these capabilities in-house,’ Benoit Sevens and Clement Lecigne from Google’s Threat Analysis Group said in a blog post.
‘While use of surveillance technologies may be legal under national or international laws, they are often found to be used by governments for purposes antithetical to democratic values – targeting dissidents, journalists, human rights workers and opposition party politicians.’
On its website, RCS Lab claims European law enforcement agencies as some of its clients and describes itself as a maker of ‘lawful interception’ technologies and services including voice, data collection and ‘tracking systems’.
It says it handles 10,000 intercepted targets daily in Europe alone.
In response to Google’s findings, RCS Lab said its products and services comply with European rules and help law enforcement agencies investigate crimes.
‘RCS Lab personnel are not exposed, nor participate in any activities conducted by the relevant customers,’ it told Reuters, adding that it condemned any abuse of its products.
Google published its blog post on Thursday, a few weeks after San Francisco-based Lookout detailed its own findings.
According to Lookout, the RCS Lab spyware has been used by the government of Kazakhstan within its borders and has been used by Italian authorities in an anti-corruption operation in 2019.
‘We also found evidence suggesting that an unknown actor used it in northeastern Syria, a predominantly Kurdish region that has been the setting of numerous regional conflicts,’ Lookout said.
Google also found RCS Lab had previously collaborated with the controversial, defunct Italian spy firm Hacking Team, which had similarly created surveillance software for foreign governments to tap into phones and computers.
Hacking Team went bust after it became a victim of a major hack in 2015 that led to a disclosure of numerous internal documents.
The new findings on RCS Lab comes as European and US regulators weigh potential new rules over the sale and import of spyware.
The global industry making spyware for governments has been growing, with more and more companies developing interception tools for law enforcement organizations.
Anti-surveillance activists accuse them of helping governments that in some cases are using such tools to crack down on human rights and civil rights.
Concerns over spyware were fueled by media outlets reporting last year that Israeli firm NSO’s Pegasus tools were used by governments to spy on journalists, activists and dissidents.
Vendors of so-called ‘lawful intercept’ spyware, such as RCS Lab and NSO, usually claim to only sell to entities that have a legitimate use for surveillanceware such as police forces fighting organized crime or terrorism, Lookout says. However, there have been many reports, especially in recent years, of spyware being misused (file photo)
‘They claim to only sell to customers with legitimate use for surveillanceware, such as intelligence and law enforcement agencies,’ mobile cybersecurity specialist Lookout said of companies like NSO and RCS Lab.
‘In reality, such tools have often been abused under the guise of national security to spy on business executives, human rights activists, journalists, academics and government officials.’
While RCS Lab’s tool may not be as stealthy as Pegasus, it can still read messages and view passwords, said Bill Marczak, a security researcher with digital watchdog Citizen Lab.
‘This shows that even though these devices are ubiquitous, there’s still a long way to go in securing them against these powerful attacks,’ Marczak said.
PEGASUS: HOW POWERFUL SPYWARE USED TO HACK JOURNALISTS WORKS
Pegasus is a powerful piece of ‘malware’ – malicious computer software – developed by Israeli security firm NSO Group.
This particular form of malware is known as ‘spyware’, meaning it is designed to gather data from an infected device without the owner’s knowledge and forward it on to a third party.
While most spyware is limited in scope – harvesting data only from specific parts of an infected system – Pegasus appears much more powerful, allowing its controller near-unlimited access to and control over an infected device.
This includes accessing contact lists, emails, and text messages, along with stored photos, videos and audio files.
Pegasus can also be used to take control of the phone’s camera or microphone to record video and audio, and can access GPS data to check where the phone’s owner has been.
And it can also be used to record any new incoming or outgoing phone calls.
Early versions of the virus infected phones using crude ‘phishing’ attacks in which users are conned into downloading the virus on to their own phones by clicking on a malicious link sent via text or email.
But researchers say the software has become much more sophisticated, exploiting vulnerabilities in common phone apps to launch so-called ‘zero-click’ attacks which can infect devices without the user doing anything.
For example, in 2019 WhatsApp revealed that 1,400 people had been infected by NSO Group software using a so-called ‘zero day’ fault – a previously unknown error – in the call function of the app.
Users were infected when a call was placed via WhatsApp to their phones, whether they answered the call or not.
More recently NSO has begun exploiting vulnerabilities in Apple’s iMessage software, giving it backdoor access to hundreds of millions of iPhones.
Apple says it is continually updating its software to prevent such attacks, though human rights group Amnesty says it has uncovered successful attacks on even the most up-to-date iOS systems.
NSO Group says that Pegasus can also be installed on devices using wireless transceivers located near the target, or can be booted directly on to the device if it is stolen first.