RCS Lab hack: How Android, iOS users in Italy and Kazakhstan were spied on

Google recently revealed in a new blog post that it has been tracking the activities of commercial spyware vendors, including Italy-based RCS Lab, which was found to be targeting mobile users in Italy and Kazakhstan.
The findings were discovered Google’s Threat Analysis Group or TAG, which has tracked over 30 vendors with “varying levels of sophication and public exposure selling exploits or surveillance capabilities to government-backed actors,” notes a blog post the company.
RCS Lab’s spyware has been accused of using a combination of tactics to victimise both Android and iOS users in the affected regions. This includes atypical drive- downloads as initial infection vectors. Here’s how the attack worked to trick users into installing malicious applications.
How does RCS Lab’s spyware tool work?
Google’s TAG observed a similar pattern with all victims of the powerful attack. A unique link is sent to the target, which when clicked, redirects the user to another page and gets them to download and install a malicious application on their Android or iOS device.
This app would target the victim’s mobile data connectivity and disable it. This would, however, just be the first step in the attack.
A false page like the one you see here was used to trick people into downloading malicious apps to “unblock their account.” (Image Source: Google)
After the data services have been compromised, the attacker would send another malicious link via SMS, asking users to install another application to fix their now-disabled data connectivity. These apps would use different approaches for both Android and iOS phones.
“We believe this is the reason why most of the applications masqueraded as mobile carrier applications,” Google said in the post, adding that “when ISP involvement is not possible, applications are masqueraded as messaging applications.”
For iOS devices, attackers simply followed Apple instructions on how to dribute proprietary in-house apps to Apple devices and used the itms-services protocol with the following manifest file and using com.ios.Carrier as the identifier.

The attacking application would also be signed with a certificate from a company named 3-1 Mobile SRL, thus allowing it to satisfy all iOS code signing requirements since the company was enrolled in the Apple Developer Enterprise Program.
These attacking apps can be sideloaded on phones instead of being installed from something like the App Store. The app then uses multiple exploits to escalate its privileges and extracting important files from the device. Notably, all exploits were public ones written various jailbreaking communities.
For Android phones, the downloaded APK would require victims to first enable installation of applications from unknown sources. The attacking app disguises itself as a legitimate Samsung app, even getting a Samsung logo to trick users.
Google revealed that while the APK itself didn’t contain any exploits, its code hinted at the presence of exploits that could be downloaded and executed on the target device.
“This campaign is a good reminder that attackers do not always use exploits to achieve the permissions they need. Basic infection vectors and drive downloads still work and can be very efficient with the help from local ISPs,” Google said in the post.
Commercial Spyware industry growing at ‘concerning’ rate
Google mentioned in its post that the growing use of spyware should be concerning to all users. “These vendors are enabling the proliferation of dangerous hacking tools and arming governments that would not be able to develop these capabilities in-house,” it said.
Apple is yet to issue a response to the statement. Meanwhile, RCS Labs has denied any wrongdoing on its part, saying its products and services comply with European rules and help law enforcement agencies investigate crimes, as per a report Reuters. “RCS Lab personnel are not exposed, nor participate in any activities conducted the relevant customers,” the report said.