Spyware firm is hacking into iOS and Android devices, according to Google

Spyware firm is hacking into iOS and Android devices, according to Google

RCS Lab spyware uses known exploits to install harmful payloads and steal private user data, according to a Google report.

Credit: Dreamstime

Google's Threat Analysis Group (TAG) has identified Italian vendor RCS Lab as a spyware offender, developing tools that are being used to exploit zero-day vulnerabilities to effect attacks on iOS and Android mobile users in Italy and Kazakhstan.

According to a Google blog post on Thursday, RCS Lab uses a combination of tactics, including atypical drive-by downloads as initial infection vectors. The company has developed tools to spy on the private data of the targeted devices, the post said.

Milan-based RCS Lab claims to have affiliates in France and Spain, and has listed European government agencies as its clients on its website. It claims to deliver "cutting-edge technical solutions" in the field of lawful interception.

The company was unavailable for comment and did not respond to email queries. In a statement to Reuters, RCS Lab said, "RCS Lab personnel are not exposed, nor participate in any activities conducted by the relevant customers."

On its website, the firm advertises that it offers "complete lawful interception services, with more than 10,000 intercepted targets handled daily in Europe alone."

Google's TAG, on its part, said it has observed spyware campaigns using capabilities it attributes to RCS Lab. The campaigns originate with a unique link sent to the target, which, when clicked, attempts to get the user to download and install a malicious application on either Android or iOS devices.

This appears to be done, in some cases, by working with the target device's ISP to disable mobile data connectivity, Google said. Subsequently, the user receives an application download link via SMS, ostensibly for recovering data connectivity.

For this reason, most of the applications masquerade as mobile carrier applications. When ISP involvement is not possible, applications masquerade as messaging apps.

Authorised drive-by downloads

Defined as downloads that users authorise without understanding the consequences, the "authorised drive by" technique has been a recurrent method used to infect both iOS and Android devices, Google said.

The RCS iOS drive-by follows Apple instructions for distributing proprietary in-house apps to Apple devices, Google said. It uses ITMS (IT management suite) protocols and signs payload-bearing applications with a certificate from 3-1 Mobile, an Italy-based company enrolled in the Apple Developer Enterprise program.

The iOS payload is broken into multiple parts. leveraging four publicly known exploits — LightSpeed, SockPuppet, TimeWaste, Avecesare — and two recently identified exploits, internally known as Clicked2 and Clicked 3.

The Android drive-by relies on users enabling installation of an application that disguises itself as a legitimate app that displays an official Samsung icon.

To protect its users, Google has implemented changes in Google Play Protect and disabled Firebase projects used as C2—the command and control techniques used for communications with affected devices. Additionally, Google has enlisted a few indicators of compromise (IOC) in the post to warn Android victims.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags GoogleAndroidioscyber security



Join key decision-makers within Environmental, Social, and Governance (ESG) that have the power to affect real change and drive sustainable practices. SustainTech will bridge the gap between ambition and tangible action, promoting strategies that attendees can use in their day-to-day operations within their business.

EDGE 2023

EDGE is the leading technology conference for business leaders in Australia and New Zealand, built on the foundations of collaboration, education and advancement.


ARN has celebrated gender diversity and recognised female excellence across the Australian tech channel since first launching WIICTA in 2012, acknowledging the achievements of a talented group of female front runners who have become influential figures across the local industry.

ARN Innovation Awards 2023

Innovation Awards is the market-leading awards program for celebrating ecosystem innovation and excellence across the technology sector in Australia.

Show Comments