A new report claims an Italian-based company’s spyware has been used to target iPhone users in Italy and Kazakhstan.
In a report from Google’s Threat Analysis Group the company writes:
Today, alongside Google’s Project Zero, we are detailing capabilities we attribute to RCS Labs, an Italian vendor that uses a combination of tactics, including atypical drive-by downloads as initial infection vectors, to target mobile users on both iOS and Android. We have identified victims located in Italy and Kazakhstan.
The campaign used a unique link sent to a target, which would attempt to get users on both Android and iOS to install a malicious app, and in some cases working with the target’s mobile carrier to disable their data, before then sending a similar malicious link via SMS in order to “fix” the issue.
iOS users were also targeted with a “drive-by exploit”:
To distribute the iOS application, attackers simply followed Apple instructions on how to distribute proprietary in-house apps to Apple devices and used the itms-services protocol with the following manifest file and using com.ios.Carrier as the identifier.
The company was able to satisfy Apple’s iOS code signing requirements by enrolling in Apple’s Developer Enterprise Program, such apps can be sideloaded onto devices and don’t need to be installed by Apple’s App Store.
Apple told iMore that the company has revoked all known accounts and certificates associated with the hacking campaign, indicating it should hopefully not be a threat to other users going forward. Apple has also patched the exploits in iOS 15. The company has previously warned against the dangers of sideloading apps on its iOS ecosystem and the impact that could have on users, citing a similar attack using its Enterprise Developer Program as an example of its dangers.
RCS Lab told the outlet it had no connection to the activities of any of its customers, in a defense similar to that used by NSO over its own Pegasus spyware scandal. RCS Lab sells its spy tools to other agencies, listing European law enforcement agencies amongst its clients. As noted, many of these attacks against victims were carried out in conjunction with their ISPs, suggesting an official connection between those internet service providers or carriers and agencies using the spyware.