Threat actors worked with ISPs to plant malware from Italian spyware vendor

Google's Threat Analysis Group (TAG) has told the European Union Parliament that commercial surveillance vendors are now using capabilities and exploits only available to governments in the past to target victims, including working with internet service providers to plant malware on users' devices.

TAG is tracking over 30 spyware vendors selling exploits and surveillance capabilities to government-sponsored actors, and Google is seeking to disrupt that industry which it says undermines trust and makes the Internet less safe.

Google is warning that the commercial spyware industry is thriving and growing, and while use of the capabilities might legal under national and international law, they are often used by governments to target dissidents, journalists, human rights activists and for purposes antithetical to democratic values.

Among the spyware vendors tracked by TAG and Google's Project Zero security researchers is Italy's RCS Labs.

RCS Labs' capabilities have been used last year to target victims in Italy and Kazakhstan with unique links sent to victims Android and Apple iOS devices.

TAG believes that in some cases, the threat actors would work with the ISP used by the victims to switch off data connectivity.

"Once disabled, the attacker would send a malicious link via SMS asking the target to install an application to recover their data connectivity.

We believe this is the reason why most of the applications masqueraded as mobile carrier applications," researchers Benoit Sevens and Clement Lecigne of TAG wrote.

If ISP cooperation was not possible, the threat actors would use fake messaging applications.

On Android, the malware was disguised as a legitimate Samsung app, using the Korean company's logo on the icon.

One app analysed by TAG contained no fewer than six different exploits to obtain privilege escalation and data exfiltration.

Spyware vendors stockpiling zero-days and exploits are a risk by themselves, as they become targets of other malicious actors and are often compromised in attacks.

Google said the commercial surveillance industry practices are harmful, and need a robust and comprehensive response.

This includes cooperation among threat intelligence teams, network defenders, academic researchers, governments, and multiple technology platforms.