RCS Labs’ customers include law enforcement agencies around the world, according to the seller’s website. It is one of more than 30 groups tracked by Google researchers that sell vulnerabilities or surveillance capabilities to government-backed groups. We are told that this spy software works on both iOS and Android phones.
We understand that this particular campaign of espionage involving RCS spyware was documented last week by Lookout, dubbed “Hermit”. We were told that it could potentially spy on the victims’ chat apps, camera and microphone, contact book and calendars, browser, and clipboard, and send that information back to the base. It is said that the Italian authorities used this tool to tackle corruption cases, and that the Kazakh government also got its hands on it.
On Thursday this week, TAG revealed its analysis of the program, and how it helped deconstruct the infection.
According to Google employees Benoit Sevens and Clement Lecigne, some targets were sent text messages asking them to install an app to fix their mobile data connection. In fact, this app infected the device with RCS spyware. The intrusions with the monitoring tool seem to have made the victims’ cellular providers reduce their wireless internet connection, thus convincing the signs to run the app.
“We believe this is the reason why most apps are masquerading as carrier apps,” explained Sevens and Lecigne.
In cases without any communication assistance, the spies sent a link to a page displaying malicious apps masquerading as legitimate messaging apps from the Meta parent company on Facebook. Running these programs infects your device with spyware.
Getting the app to download and run on iOS takes a few extra steps due to security measures in the operating system: for one thing, the app wasn’t coming from the official app store and so it’s usually rejected. Instead, the hackers followed Apple’s notes on how to distribute private internal apps to iThings, according to Google bug researchers.
This allowed the miscreants to produce an app digitally signed by a company registered with the Apple Developer Enterprise Program and, crucially, an app that could be installed on the victim’s device by getting them to fetch and launch it from a web page.
The iPhone app itself has multiple parts, including a privilege escalation exploit to escape the sandbox it’s running in, along with an agent that can steal files from iOS devices. In their analysis, Sevens and Lecigne analyzed an application with exploit code for the following vulnerabilities:
Security researchers said CVE-2021-30883 and CVE-2021-30983 were zero-day vulnerabilities, and Project Zero published a technical analysis of the latter.
Meanwhile, on Android, the installation process worked as follows: first, a link is sent to a web page that tricks the victim into fetching and installing a malicious app that looks like a legitimate Samsung app that, when launched, opens a webview showing a legitimate website associated with the code.
Once installed, it asks for permissions, uses messaging services like Firebase Cloud Messaging and Huawei Messaging Service for command and control communications, and then continues its spying and data theft work.
Researchers warn that it may be able to download additional malware as well. Sevens and Lecigne wrote: “While the APK itself does not contain any vulnerabilities, the code hints at vulnerabilities that can be downloaded and executed.”
They also listed several hashes of executable files, domains used for code distribution, command and control domains and IP addresses whose presence in the logs might indicate a compromised device.
Google notified all known Android victims, made changes to Google Play Protect to prevent RCS code from running, and crashed the Firebase project used for command and control communications, we’re told. Hopefully that pulls the plug on him for now.
“This campaign is a good reminder that attackers don’t always use vulnerabilities to achieve the permissions they need,” added Sevens and Lessin. “Primary vectors and drive downloads still work and can be very effective with the help of local ISPs.” ®