2 min read

Internet Service Providers Help Spyware Vendor Infect iOS and Android Devices

Vlad CONSTANTINESCU

June 24, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Internet Service Providers Help Spyware Vendor Infect iOS and Android Devices

Researchers from Google’s Threat Analysis Group (TAG) yesterday disclosed that certain Internet Service Providers (ISPs) helped Italian spyware vendor RCS Labs infect iOS and Android users in Italy and Kazakhstan with surveillance tools.

TAG tracks more than 30 spyware vendors, including RCS Labs, according to security researchers Clement Lecigne and Christian Resell. The attacks used drive-by-downloads to deploy malware on multiple devices.

The ISPs Involved cut their victims’ mobile data Internet connection, helping perpetrators trick them into installing fake mobile carrier apps under the pretense of getting back online. Since the targets lacked connectivity, threat actors sent the malicious links via SMS.

“In some cases, we believe the actors worked with the target’s ISP to disable the target’s mobile data connectivity,” Google TAG’s report says. “Once disabled, the attacker would send a malicious link via SMS asking the target to install an application to recover their data connectivity. We believe this is the reason why most of the applications masqueraded as mobile carrier applications.”

The spyware vendor couldn’t always cooperate with the targets’ ISPs, so it also used fake messaging apps to lure victims. The group crafted decoy support pages offering to help potential victims recover suspended Instagram, WhatsApp or Facebook accounts.

Fake support pages hosted links to install applications; while Facebook and Instagram pages pointed to official apps, the WhatsApp URL pointed to a malicious version of the messaging app.

It’s worth mentioning that the malicious apps weren’t available in Google Play or Apple’s App store. To infect iOS users, perpetrators sideloaded the iOS version of the app and asked targets to enable installation of apps from unknown sources. The malicious iOS app was signed with an enterprise certificate and packed several privilege escalation exploits, as follows:

While its Android counterpart had no exploits, it was able to download and execute additional modules through a DexClassLoader API.

Google said it took steps to prevent these attacks and protect its users against them while warning that attackers could pull off attacks without using exploits.

“To protect our users, we have warned all Android victims, implemented changes in Google Play Protect and disabled Firebase projects used as C2 in this campaign,” Google says in its latest TAG report.

tags


Author



Right now

Top posts

What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

June 22, 2022

1 min read
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Cyberattack Disrupts 7-Eleven Stores in Denmark Cyberattack Disrupts 7-Eleven Stores in Denmark
Alina BÎZGĂ

August 10, 2022

1 min read
Leaky platform at Chinese adult platform exposed sensitive info of 14 million users Leaky platform at Chinese adult platform exposed sensitive info of 14 million users
Alina BÎZGĂ

August 08, 2022

1 min read
America’s Emergency Alert System Is Vulnerable to Hacker Attacks, DHS Warns America’s Emergency Alert System Is Vulnerable to Hacker Attacks, DHS Warns
Filip TRUȚĂ

August 05, 2022

2 min read