Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Attackers hit iOS and Android devices with spyware in Italy and Kazakhstan

Malware illustration

Last updated

Google has revealed that Android and iOS users in Europe were tricked into installing a malicious application that would then steal personal information off the device.

A report published by Google on Thursday has detailed findings from its ongoing investigations of commercial spyware vendors as part of its Project Zero campaign.

The company named Italian firm RCS Labs as the likely party responsible for the attacks. Google alleges RCS Labs used "a combination of tactics" to target users in Italy and Kazakhstan with what is deemed a "drive-by download attack."

A message would claim that the victim has lost access to their account or services, and will need to sign in via the link provided to restore service. The install links sent by the nefarious actors were masquerading as internet service provider or messaging application notifications.

Once the victim connected to the linked site, they were shown real logos and realistic prompts for account reset, with the link to download the malicious application hidden behind official-looking buttons and icons. For example, one of the many variants of the app used in the campaign installed had a Samsung logo as its icon, and would point to a fake Samsung website.

The Android version of the attack used an .apk file. Since Android apps can be installed freely from outside the Google Play store, there was no need for the actors to convince victims to install a special certificate.

Victims with Android devices then had many permissions granted to the attackers, such as access to network statuses, user credentials, contact details, reading of external storage devices being provided.

Victims using iOS were then instructed to install an enterprise certificate. If the user followed the process, the properly signed certificate allowed the malicious app to sidestep App Store protections after sideloading.

The iOS version of the malicious application used six different system exploits to extract information from the device, with the app broken into multiple parts, each using a specific exploit. Four of these exploits were written by the jailbreaking community to bypass the verification layer to unlock full root access to the system.

Due to iOS sandboxing, the amount of data extracted was limited in scope. While data such as the local database of the messaging application WhatsApp was obtained from the victims, sandboxing prevented the app from directly interfacing and stealing other apps' information directly.

Google has issued warnings to Android victims of this campaign. The company has also made changes to Google Play Protect, as well as disabling certain Firebase projects used by the attackers.

Apple has patched the exploits. Fixes for the entire exploit chain arrived with iOS 15.2.

Apple users have long been targets for nefarious actors. In January 2022, government agents managed to get malware onto the Mac devices of pro-democracy activists. More recently in April, a phishing attack on a victim's iCloud account led to $650,000 worth of assets being stolen.

Owners of iOS or iPadOS devices are protected from attacks of this sort if they don't install certificates outside of their organization. It also good practice for any user to contact a company directly using clear methods of communication established before the message if they have any questions about a call-to-action made through messaging services.

Updated June 24, 7:00 AM ET: Updated with confirmation of Apple's patching efforts to stop the entire exploit chain.



14 Comments

docbburk 7 Years · 109 comments

It's funny how The "geniuses" in congress and and EU keep trying to force apple to let alternative app stores and sideloading.  Crap like this shows another reason apple is right and they are just stages for the likes of Epic games, google, and bad actors. 

geekmee 13 Years · 647 comments

Uh, how many users were infected successfully?…

In these two countries in Europe??…
What’s version of the OS did each have installed on their phones???

sflocal 16 Years · 6138 comments

And the Darwin-award candidates running our country and the EU are considering forcing Apple to allow side loading apps to bring all the security-vulnerabilities that Android has?  No thank you.

ranson 15 Years · 91 comments

docbburk said:
It's funny how The "geniuses" in congress and and EU keep trying to force apple to let alternative app stores and sideloading.  Crap like this shows another reason apple is right and they are just stages for the likes of Epic games, google, and bad actors. 

You realize it was Google who identified this operation and alerted the public about it?

GrannySmith99 2 Years · 59 comments

geekmee said:
Uh, how many users were infected successfully?…
In these two countries in Europe??…
What’s version of the OS did each have installed on their phones???

Do you really think Kazakhstan is in Europe? I'm guessing you're an American? Lol