Google’s Threat Analysis Group reported that Italian spyware vendor RCS Labs cooperated with some Internet service providers to install spyware on users’ smartphones.
All the attacks involved a unique link sent to a target — if a user followed the link, it would prompt them to download and install attacker-controlled content on their Android or iOS device.
The illegitimate application would allow threat actors to carry out authorised drive-by download attacks.
An authorised drive-by attack refers to tricking users into downloading software containing malicious code that enables additional downloads without the target’s knowledge.
“In some cases, we believe the actors worked with the target’s Internet service provider to disable the target’s mobile data connectivity,” the report stated.
In these cases, the threat actors would encourage victims to install a malicious application to restore their data connectivity.
“We believe this is the reason why most of the applications masqueraded as mobile carrier applications,” Benoit Sevens and Clement Lecigne said.
The researchers noted that the malware was disguised as messaging applications if Internet service providers weren’t involved.
One method shows attackers using a fake Facebook support page with links to install Facebook, WhatsApp, or Instagram.
The WhatsApp link would install a fake version of the messaging application that enabled the drive-by spyware installation, while the Facebook and Instagram links installed the legitimate applications.
The iOS versions of the malicious software did not appear on the App Store, but could instead be sideloaded onto a device.
“This sideloading works because the app is signed with an enterprise certificate, which can be purchased for $299 via the Apple Enterprise developer program,” Google Zero security researcher Ian Beer said.
For Android devices, the downloaded APK required that the installation of applications from unknown sources be enabled.
“Although the applications were never available in Google Play, we have notified the Android users of infected devices, and implemented changes in Google Play Protect to protect all users,” the researchers said.
Google’s Threat Analysis Group (TAG) identified affected users in Italy and Kazakhstan.
“This campaign is a good reminder that attackers do not always use exploits to achieve the permissions they need,” the TAG researchers said.
“Basic infection vectors and drive-by downloads still work and can be very efficient with the help from local ISPs.”
Google’s TAG currently tracks over 30 spyware vendors that sell exploits and surveillance capabilities to government-backed entities.