Google has identified RCS Labs as the spyware vendor that has been targeting iOS and Android users in Italy and Kazakhstan with links to malicious applications. In some cases, “actors worked with the target’s ISP to disable the target’s mobile data connectivity,” Google wrote, and “once disabled, the attacker would send a malicious link via SMS asking the target to install an application to recover their data connectivity.” Infected devices can send user data to over a dozen domains. “Basic infection vectors and drive-by downloads still work and can be very efficient with the help from local ISPs,” Google warned.
Today, alongside Google’s Project Zero, we are detailing capabilities we attribute to RCS Labs, an Italian vendor that uses a combination of tactics, including atypical drive-by downloads as initial infection vectors, to target mobile users on both iOS and Android. We have identified victims located in Italy and Kazakhstan.
All campaigns TAG observed originated with a unique link sent to the target. Once clicked, the page attempted to get the user to download and install a malicious application on either Android or iOS. In some cases, we believe the actors worked with the target’s ISP to disable the target’s mobile data connectivity. Once disabled, the attacker would send a malicious link via SMS asking the target to install an application to recover their data connectivity. We believe this is the reason why most of the applications masqueraded as mobile carrier applications. When ISP involvement is not possible, applications are masqueraded as messaging applications.