at the hearing Notorious spyware vendor NSO Group told European lawmakers this week that at least five EU countries use its powerful Pegasus surveillance malware. But as more people learn about the reality of how NSO’s products are being abused around the world, researchers are also working to raise awareness that the employment surveillance industry extends far beyond one company. On Thursday, Google’s Threat Analysis Group and Project Zero Vulnerability Analysis team released the findings of an investigation into the iOS version of Italian developer RCS Labs’ spyware product.
Google researchers say they have detected spyware victims on both Android and iOS devices in Italy and Kazakhstan. Last week, security firm Lookout released the findings of an Android version of the spyware, which it called “Hermit,” also attributed to RCS Labs. Lookout noted that Italian officials used a version of the spyware in a 2019 anti-corruption investigation. In addition to victims located in Italy and Kazakhstan, Lookout also found data indicating that an unidentified entity was using the spyware to target northeastern Syria.
“Google has been tracking the activities of commercial spyware vendors for years, and during that time, we’ve seen the industry rapidly expand from a handful of vendors to an entire ecosystem,” TAG security engineer Clement Lecigne told Wired. “These vendors have contributed to the proliferation of dangerous hacking tools, arming governments that cannot develop these capabilities in-house. But there is little transparency in this industry, which is why sharing information about these vendors and their capabilities is critical.”
TAG said it currently tracks more than 30 spyware makers that offer a range of technical capabilities and levels of sophistication to government-backed customers.
In an analysis of the iOS version, Google researchers found that attackers were distributing iOS spyware using a fake app that looked like the “My Vodafone” app from the popular international mobile carrier. In Android and iOS attacks, attackers may simply trick the target into downloading what appears to be a messaging app by distributing malicious links for victims to click. But in some particularly high-profile cases of iOS targeting, Google found that attackers may have been working with local ISPs to cut off specific users’ mobile data connections, send them malicious download links via SMS, and convince them to install fake The My Vodafone app goes over Wi-Fi and promises that this will restore their phone service.
The attackers were able to distribute the malicious app because RCS Labs was registered with Apple’s Enterprise Developer Program, apparently obtaining a certificate through a shell company called “3-1 Mobile SRL,” which allowed them to use The process of sideloading apps without Apple’s typical AppStore review.
All known accounts and certificates associated with the spyware activity have been revoked, Apple told WIRED.
“Enterprise certificates are for internal company use only, not for general app distribution, as they can be used to circumvent App Store and iOS protections,” the company wrote in its October report on sideloading. “Despite the tight control and limited scale of the program, bad actors have found ways to gain unauthorized access, such as by purchasing enterprise certificates on the black market.”