RCS Lab spyware uses known exploits to install harmful payloads and steal private user data, according to a Google report. Credit: Daviles / Getty Images Google’s Threat Analysis Group (TAG) has identified Italian vendor RCS Lab as a spyware offender, developing tools that are being used to exploit zero-day vulnerabilities to effect attacks on iOS and Android mobile users in Italy and Kazakhstan. According to a Google blog post on Thursday, RCS Lab uses a combination of tactics, including atypical drive-by downloads, as initial infection vectors. The company has developed tools to spy on the private data of the targeted devices, the post said. Milan-based RCS Lab claims to have affiliates in France and Spain, and on its website lists European government agencies as clients. It claims to deliver “cutting-edge technical solutions” in the field of lawful interception. The company was unavailable for comment and did not respond to email queries. In a statement to Reuters, RCS Lab said, “RCS Lab personnel are not exposed, nor participate in any activities conducted by the relevant customers.” On its website, the firm advertises that it offers “complete lawful interception services, with more than 10,000 intercepted targets handled daily in Europe alone.” Google’s TAG, on its part, said it has observed spyware campaigns using capabilities it attributes to RCS Lab. The campaigns originate with a unique link sent to the target, which, when clicked, attempts to get the user to download and install a malicious application on either Android or iOS devices. This appears to be done, in some cases, by working with the target device’s ISP to disable mobile data connectivity, Google said. Subsequently, the user receives an application download link via SMS, ostensibly for recovering data connectivity. For this reason, most of the applications masquerade as mobile carrier applications. When ISP involvement is not possible, applications masquerade as messaging apps. Authorized drive-by downloads Defined as downloads that users authorize without understanding the consequences, the “authorized drive by” technique has been a recurrent method used to infect both iOS and Android devices, Google said. The RCS iOS drive-by follows Apple instructions for distributing proprietary in-house apps to Apple devices, Google said. It uses ITMS (IT management suite) protocols and signs payload-bearing applications with a certificate from 3-1 Mobile, an Italy-based company enrolled in the Apple Developer Enterprise program. The iOS payload is broken into multiple parts, leveraging four publicly known exploits—LightSpeed, SockPuppet, TimeWaste, Avecesare—and two recently identified exploits, internally known as Clicked2 and Clicked 3. The Android drive-by relies on users enabling installation of an application that disguises itself as a legitimate app that displays an official Samsung icon. To protect its users, Google has implemented changes in Google Play Protect and disabled Firebase projects used as C2—the command and control techniques used for communications with affected devices. Additionally, Google has listed a few indicators of compromise (IOC) in its blog post, to help security professionals detect intrusions. Related content feature Windows 11 Insider Previews: What’s in the latest build? Get the latest info on new preview builds of Windows 11 as they roll out to Windows Insiders. Now updated for Build 22635.3566 for the Beta Channel, released on April 26, 2024. By Preston Gralla Apr 26, 2024 251 mins Small and Medium Business Microsoft Windows 11 news Dropbox adds end-to-end encryption for team folders Dropbox this week unveiled a range of features, including security updates and key management, and the ability to co-edit Microsoft 365 documents from within the file-sharing app. By Matthew Finnegan Apr 26, 2024 3 mins Cloud Storage Collaboration Software Productivity Software feature Android versions: A living history from 1.0 to 15 Explore Android's ongoing evolution with this visual timeline of versions, starting B.C. (Before Cupcake) and going all the way to 2024's Android 15 (beta) release. By JR Raphael Apr 26, 2024 23 mins Small and Medium Business Smartphones Android news analysis The unspoken obnoxiousness of Google's Gemini improvements Google's Gemini chatbot is seeing all sorts of upgrades on Android this week, but those advancements reveal a darker underlying reality. By JR Raphael Apr 26, 2024 12 mins Google Assistant Google Android Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe