Skip to content

Spyware vendors caught targeting users in Italy and Kazakhstan

  • by
  • 3 min read

Google’s Threat Analysis Group (TAG) caught an Italian spyware vendor RCS Labs targetting Android and iOS users in Italy and Kazakhstan with the help of some ISPs and commercial surveillance tools. 

According to the report, TAG believes that ISPs were working with the threat actors in some cases to disable the target’s mobile data connectivity. Once disabled, the attackers moved in with a malicious link pointing to external apps disguised as legitimate carrier apps which would in turn infect the user’s device. 

In case the attackers couldn’t directly work with the target’s ISP, they passed off the malicious payload as a messaging app. These apps were being distributed using a made-up support page claiming to help people recover their Facebook, Instagram or Whatsapp accounts that were suspended. 

Out of the three, only tapping the Whatsapp link would install a malicious app while the other two redirected to the official app pages. Google says the malicious apps downloaded by targets aren’t present on the Apple App Store or the Google Play Store.

The iOS app used in the attack had several built-in exploits to escalate privileges on infected devices and steal data. Overall, TAG found the following vulnerabilities being exploited. 

The last two. namely CVE-2021-30883 and CVE-2021-30983 are believed to be zero-day exploits at the time of discovery. 

As for the Android payload, while the app didn’t have any exploits bundled in the APK, it did have the capability to download and execute additional modules using the DexClassLoader API. 

The Android spyware, named Hermit, has been termed a “modular surveillanceware” that hides its capabilities in external packages which are downloaded after it has been deployed. A detailed analysis of the spyware has been published by cybersecurity firm Lookout. 

Google says it has informed impacted Android users of the spyware, implemented changes in Google Play Protect and disabled all Firebase projects being used as command and control centres in this campaign. 

In the News: Brave’s Goggles feature will let you choose your own search rankings

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: