Google’s Threat Analysis Group (TAG) revealed this week that an Italian company’s hacking tools were being used to hack iOS and Android devices. According to the report, Italy’s RCS Lab “uses a combination of tactics” to target mobile phones. RCS Lab claims that it provides law enforcement agencies with technological solutions for the “lawful interception” of user data. Google’s analysis of the company’s tools suggests otherwise.
New spyware used to hack iOS and Android phones
Google identified victims of the spyware campaign in Italy and Kazakhstan. The campaign is not especially complex, but it’s clearly effective enough.
As Google explains, the hacker begins by sending a unique link to a target. When the target clicks on the link, the page tells the user to download and install a malicious application. This sounds like a fairly standard campaign, but it gets much worse.
Google believes that in some cases the attackers worked with internet service providers to disable the target’s mobile data connectivity. The attacker would then send a message with a link telling the target to download an application to restore their connectivity. This is likely why most of the malicious apps posed as mobile carrier apps.
When the attackers weren’t able to coordinate with ISPs to trick their targets, the malicious software looked like a messaging application instead. The page would tell the user to install an app in order to recover their account.
Google doesn’t believe that the malicious apps were ever available from the App Store or on Google Play. Rather, iPhone users would have to sideload the apps and Android users would need to enable the installation of applications from unknown sources.
“This campaign is a good reminder that attackers do not always use exploits to achieve the permissions they need,” Google explained. “Basic infection vectors and drive by downloads still work and can be very efficient with the help from local ISPs.”
Google says that in order to protect users, it warned every Android victim, made changes to Google Play Protect, and disabled Firebase projects used in this campaign.
Are iPhone users safe from the hack?
Thankfully, as noted by Macworld, Apple has already patched all of the exploits RCS Lab took advantage of in iOS. Here are the exploits that have since been patched:
- CVE-2018-4344 internally referred to and publicly known as LightSpeed.
- CVE-2019-8605 internally referred to as SockPort2 and publicly known as SockPuppet
- CVE-2020-3837 internally referred to and publicly known as TimeWaste.
- CVE-2020-9907 internally referred to as AveCesare.
- CVE-2021-30883 internally referred to as Clicked2, marked as being exploited in-the-wild by Apple in October 2021.
- CVE-2021-30983 internally referred to as Clicked3, fixed by Apple in December 2021.
As long as your iPhone is running the latest version of iOS, you don’t need to worry about the RCS Lab spyware. That said, this is yet another reason to keep your devices up to date with all of the latest patches and protection from similar attacks.
More iPhone coverage: For more iPhone news, visit our iPhone 14 guide.