Google has been tracking the activities of commercial spyware vendors for years. Recently, RCS Labs, an Italian vendor, has been found to use a combination of tactics, including atypical drive-by downloads as initial infection vectors to target mobile users on both iOS and Android. Google has identified victims located in Italy and Kazakhstan.
All campaigns TAG observed originated with a unique link sent to the target. Once clicked, the page attempted to get the user to download and install a malicious application on either Android or iOS. In some cases, Google believes the actors worked with the target’s ISP to disable the target’s mobile data connectivity. Once disabled, the attacker would send a malicious link via SMS asking the target to install an application to recover their data connectivity. When ISP involvement is not possible, applications are masqueraded as messaging applications.
The apps downloaded open the user up to a variety of vulnerabilities including:
- CVE-2018-4344 publicly known as LightSpeed.
- CVE-2019-8605 publicly known as SockPuppet
- CVE-2020-3837 publicly known as TimeWaste.