Attackers hit iOS and Android devices with spyware in Italy and Kazakhstan

Malware illustration

A report published by Google on Thursday has detailed findings from its ongoing investigations of commercial spyware vendors as part of its Project Zero campaign.

The company named Italian firm RCS Labs as the likely party responsible for the attacks. Google alleges RCS Labs used "a combination of tactics" to target users in Italy and Kazakhstan with what is deemed a "drive-by download attack."

A message would claim that the victim has lost access to their account or services, and will need to sign in via the link provided to restore service. The install links sent by the nefarious actors were masquerading as internet service provider or messaging application notifications.

Once the victim connected to the linked site, they were shown real logos and realistic prompts for account reset, with the link to download the malicious application hidden behind official-looking buttons and icons. For example, one of the many variants of the app used in the campaign installed had a Samsung logo as its icon, and would point to a fake Samsung website.

The Android version of the attack used an .apk file. Since Android apps can be installed freely from outside the Google Play store, there was no need for the actors to convince victims to install a special certificate.

Victims with Android devices then had many permissions granted to the attackers, such as access to network statuses, user credentials, contact details, reading of external storage devices being provided.

Victims using iOS were then instructed to install an enterprise certificate. If the user followed the process, the properly signed certificate allowed the malicious app to sidestep App Store protections after sideloading.

The iOS version of the malicious application used six different system exploits to extract information from the device, with the app broken into multiple parts, each using a specific exploit. Four of these exploits were written by the jailbreaking community to bypass the verification layer to unlock full root access to the system.

Due to iOS sandboxing, the amount of data extracted was limited in scope. While data such as the local database of the messaging application WhatsApp was obtained from the victims, sandboxing prevented the app from directly interfacing and stealing other apps' information directly.

Google has issued warnings to Android victims of this campaign. The company has also made changes to Google Play Protect, as well as disabling certain Firebase projects used by the attackers.

Apple has patched the exploits. Fixes for the entire exploit chain arrived with iOS 15.2.

Apple users have long been targets for nefarious actors. In January 2022, government agents managed to get malware onto the Mac devices of pro-democracy activists. More recently in April, a phishing attack on a victim's iCloud account led to $650,000 worth of assets being stolen.

Owners of iOS or iPadOS devices are protected from attacks of this sort if they don't install certificates outside of their organization. It also good practice for any user to contact a company directly using clear methods of communication established before the message if they have any questions about a call-to-action made through messaging services.

Updated June 24, 7:00 AM ET: Updated with confirmation of Apple's patching efforts to stop the entire exploit chain.