Attackers hit iOS and Android devices with spyware in Italy and Kazakhstan


AppleInsider is supported by its audience and is eligible to earn an Amazon Associate and Affiliate Partner commission on qualifying purchases. These affiliate partnerships do not influence our editorial content.

Google has revealed that Android and iOS users in Europe have been tricked into installing a malicious app that then steals personal information from the device.

A report released Thursday by Google outlines the detailed results of its ongoing investigations of commercial spyware vendors as part of its Project Zero campaign.

The company named Italian company RCS Labs as the likely culprit behind the attacks. Google alleges that RCS Labs used “a combination of tactics” to target users in Italy and Kazakhstan with what is believed to be a “driving download attack”.

A message would claim that the victim has lost access to their account or services and will need to log in through the provided link to restore service. The installation links sent by the infamous actors posed as notifications from internet service providers or messaging apps.

Once the victim logged into the linked site, they were shown real logos and realistic prompts for account reset, with the link to download the malicious app hidden behind official-looking buttons and icons . For example, one of the many variations of the app used in the campaign installed had a Samsung logo as its icon and pointed to a fake Samsung website.

The Android version of the attack used an .apk file. Since Android apps can be freely installed from outside the Google Play Store, actors did not need to convince victims to install a special certificate.

Victims with Android devices then had many permissions granted to the attackers, such as access to network statuses, user credentials, contact details, reading provided external storage devices.

Victims using iOS were then prompted to install a company certificate. If the user followed the process, the properly signed certificate allowed the malicious app to bypass App Store protections after sideloading.

The iOS version of the malicious app used six different system exploits to extract information from the device, with the app split into multiple parts, each using a specific exploit. Four of these exploits were written by the jailbreaking community to bypass the verification layer to unlock full root access to the system.

Due to iOS sandboxing, the amount of data extracted was limited. While data such as the local database of the WhatsApp messaging app was obtained from the victims, the sandboxing prevented the app from directly interfacing and directly stealing information from other apps.

Google has issued warnings to Android victims of this campaign. The company also made changes to Google Play Protect, as well as disabling some Firebase projects used by attackers. It is unclear whether Apple invalidated the certificate.

Apple users have long been targets of malicious actors. In January 2022, government agents successfully planted malware on the Mac devices of pro-democracy activists. Most recently, in April, a phishing attack on a victim’s iCloud account resulted in the theft of $650,000 in assets.

Owners of iOS or iPadOS devices are protected against such attacks if they do not install certificates outside of their organization. It is also good practice for any user to contact a company directly using established clear communication methods prior to messaging if they have any questions about a call to action made through the messaging services.

Leave a Comment