Attackers hit iOS and Android devices with spyware in Italy and Kazakhstan

Posted:
in General Discussion edited June 2022
Google has revealed that Android and iOS users in Europe were tricked into installing a malicious application that would then steal personal information off the device.

Malware illustration
Malware illustration


A report published by Google on Thursday has detailed findings from its ongoing investigations of commercial spyware vendors as part of its Project Zero campaign.

The company named Italian firm RCS Labs as the likely party responsible for the attacks. Google alleges RCS Labs used "a combination of tactics" to target users in Italy and Kazakhstan with what is deemed a "drive-by download attack."

A message would claim that the victim has lost access to their account or services, and will need to sign in via the link provided to restore service. The install links sent by the nefarious actors were masquerading as internet service provider or messaging application notifications.

Once the victim connected to the linked site, they were shown real logos and realistic prompts for account reset, with the link to download the malicious application hidden behind official-looking buttons and icons. For example, one of the many variants of the app used in the campaign installed had a Samsung logo as its icon, and would point to a fake Samsung website.

The Android version of the attack used an .apk file. Since Android apps can be installed freely from outside the Google Play store, there was no need for the actors to convince victims to install a special certificate.

Victims with Android devices then had many permissions granted to the attackers, such as access to network statuses, user credentials, contact details, reading of external storage devices being provided.

Victims using iOS were then instructed to install an enterprise certificate. If the user followed the process, the properly signed certificate allowed the malicious app to sidestep App Store protections after sideloading.

The iOS version of the malicious application used six different system exploits to extract information from the device, with the app broken into multiple parts, each using a specific exploit. Four of these exploits were written by the jailbreaking community to bypass the verification layer to unlock full root access to the system.

Due to iOS sandboxing, the amount of data extracted was limited in scope. While data such as the local database of the messaging application WhatsApp was obtained from the victims, sandboxing prevented the app from directly interfacing and stealing other apps' information directly.

Google has issued warnings to Android victims of this campaign. The company has also made changes to Google Play Protect, as well as disabling certain Firebase projects used by the attackers.

Apple has patched the exploits. Fixes for the entire exploit chain arrived with iOS 15.2.

Apple users have long been targets for nefarious actors. In January 2022, government agents managed to get malware onto the Mac devices of pro-democracy activists. More recently in April, a phishing attack on a victim's iCloud account led to $650,000 worth of assets being stolen.

Owners of iOS or iPadOS devices are protected from attacks of this sort if they don't install certificates outside of their organization. It also good practice for any user to contact a company directly using clear methods of communication established before the message if they have any questions about a call-to-action made through messaging services.

Updated June 24, 7:00 AM ET: Updated with confirmation of Apple's patching efforts to stop the entire exploit chain.

Read on AppleInsider

Comments

  • Reply 1 of 14
    docbburkdocbburk Posts: 109member
    It's funny how The "geniuses" in congress and and EU keep trying to force apple to let alternative app stores and sideloading.  Crap like this shows another reason apple is right and they are just stages for the likes of Epic games, google, and bad actors. 
    MrBunsidedewmeFidonet127StrangeDaysbadmonkjony0watto_cobra
  • Reply 2 of 14
    geekmeegeekmee Posts: 629member
    Uh, how many users were infected successfully?…
    In these two countries in Europe??…
    What’s version of the OS did each have installed on their phones???
    MrBunsidewatto_cobra
  • Reply 3 of 14
    sflocalsflocal Posts: 6,092member
    And the Darwin-award candidates running our country and the EU are considering forcing Apple to allow side loading apps to bring all the security-vulnerabilities that Android has?  No thank you.
    GrannySmith99badmonkjony0watto_cobra
  • Reply 4 of 14
    ransonranson Posts: 69member
    docbburk said:
    It's funny how The "geniuses" in congress and and EU keep trying to force apple to let alternative app stores and sideloading.  Crap like this shows another reason apple is right and they are just stages for the likes of Epic games, google, and bad actors. 
    You realize it was Google who identified this operation and alerted the public about it?
    ctt_zhmuthuk_vanalingamuraharamaciekskontakt
  • Reply 5 of 14
    geekmee said:
    Uh, how many users were infected successfully?…
    In these two countries in Europe??…
    What’s version of the OS did each have installed on their phones???

    Do you really think Kazakhstan is in Europe? I'm guessing you're an American? Lol

    avon b7urahara
  • Reply 6 of 14
    avon b7avon b7 Posts: 7,622member
    sflocal said:
    And the Darwin-award candidates running our country and the EU are considering forcing Apple to allow side loading apps to bring all the security-vulnerabilities that Android has?  No thank you.
    After scanning the linked page it seems the iOS tactic was to get the app installed by sideloading it using Apple's own sideloading procedures.

    Sideloading per se isn't the problem. 
    ctt_zhelijahguraharaFileMakerFeller
  • Reply 7 of 14
    geekmee said:
    Uh, how many users were infected successfully?…
    In these two countries in Europe??…
    What’s version of the OS did each have installed on their phones???
    And how is this important? Today's attacks are not about what is on your device, but about diversion and pivoting attacks using your device. You may want to read recent security information. It explains what happened in Kazakhstan and how it got through malware chains into those locations.

    Never assume that you are target. You could be puppet with your device needed for something else. Want me to tell story from finance where I worked about what happened with millions of credit cards on black Friday 10 years ago and how HVAC company was involved in that? It is not nice to explain situation to Secret Service officers.
  • Reply 8 of 14
    sflocal said:
    And the Darwin-award candidates running our country and the EU are considering forcing Apple to allow side loading apps to bring all the security-vulnerabilities that Android has?  No thank you.
    And you would assume that all application on macOS are coming only from App Store?  So why iOS no and macOS not?
  • Reply 9 of 14
    ranson said:
    docbburk said:
    It's funny how The "geniuses" in congress and and EU keep trying to force apple to let alternative app stores and sideloading.  Crap like this shows another reason apple is right and they are just stages for the likes of Epic games, google, and bad actors. 
    You realize it was Google who identified this operation and alerted the public about it?
    The person does not. Important thing is to demeanor Google and prize Apple only. Kind of mentality and maturity with these people with shiny iPhones.
  • Reply 10 of 14
    StrangeDaysStrangeDays Posts: 12,834member
    avon b7 said:
    sflocal said:
    And the Darwin-award candidates running our country and the EU are considering forcing Apple to allow side loading apps to bring all the security-vulnerabilities that Android has?  No thank you.
    After scanning the linked page it seems the iOS tactic was to get the app installed by sideloading it using Apple's own sideloading procedures.

    Sideloading per se isn't the problem. 
    …which would be even more so of a problem with various mandated third party app stores. That was the point, obviously. Whoosh
    jony0watto_cobra
  • Reply 11 of 14
    avon b7avon b7 Posts: 7,622member
    avon b7 said:
    sflocal said:
    And the Darwin-award candidates running our country and the EU are considering forcing Apple to allow side loading apps to bring all the security-vulnerabilities that Android has?  No thank you.
    After scanning the linked page it seems the iOS tactic was to get the app installed by sideloading it using Apple's own sideloading procedures.

    Sideloading per se isn't the problem. 
    …which would be even more so of a problem with various mandated third party app stores. That was the point, obviously. Whoosh
    Why are you so sure of that?

    Sideloading is a way of getting software onto the device. Nothing more. 

    What is in that software is a different story. No one (not even Apple and the regular App Store) can guarantee against nefarious software getting through the gate but it is entirely possible for alternative app stores to have better screening than Apple. It is entirely possible for trusted vendors to sideload directly onto a device from their own infrastructure. The problem is that Apple doesn't allow that for consumers. But that is a different story too. 

    Sideloading isn't the root problem. 




    ctt_zh
  • Reply 12 of 14
    geekmee said:
    Uh, how many users were infected successfully?…
    In these two countries in Europe??…
    What’s version of the OS did each have installed on their phones???

    Do you really think Kazakhstan is in Europe? I'm guessing you're an American? Lol

    So the 57,000 square miles that are in Europe don't count? That's more than all of Ireland....
    watto_cobra
  • Reply 13 of 14
    crowleycrowley Posts: 10,453member
    geekmee said:
    Uh, how many users were infected successfully?…
    In these two countries in Europe??…
    What’s version of the OS did each have installed on their phones???

    Do you really think Kazakhstan is in Europe? I'm guessing you're an American? Lol

    So the 57,000 square miles that are in Europe don't count? That's more than all of Ireland....
    15% of the country being west of the Ural river does not mean that Kazakhstan is in Europe, as OP and the article said.  In no sensible measure is 15% taken to be the whole.

    Though I'm not sure why continental location is even relevant to the subject.
  • Reply 14 of 14
    bulk001bulk001 Posts: 764member
    geekmee said:
    Uh, how many users were infected successfully?…
    In these two countries in Europe??…
    What’s version of the OS did each have installed on their phones???

    Do you really think Kazakhstan is in Europe? I'm guessing you're an American? Lol

    Everything Americans know about Kazakhstan we learnt from Borat. But know this, if Russia invades you for embarrassing Guilliani you will have no better friend than the US!
    steve_jobsFileMakerFellerwatto_cobra
Sign In or Register to comment.