Spyware Made For "Lawful Interception" Used To Target Android, iOS Users

AH Malware encryption data theft virus NEW AH

UPDATE: While Google didn’t mention this in its report, security researchers at Lookout have linked this spyware to Hermit, which was previously spotted in use by Italian authorities in an anti-corruption operation in 2019. Developed by Italian firms RCS Lab and Tykelab Srl, the Kazakhstan government is using the spyware program to spy on Android users within its borders, the Lookout report says. It may also target victims in Italy and Syria. Lookout also confirmed an iOS version of Hermit but couldn’t obtain a sample for analysis.

ORIGINAL ARTICLE: Spyware developed by an Italian firm that claims to have law enforcement agencies as its clients were used to target Android and iPhone users, Google has found. The company’s Threat Analysis Group (TAG) and Project Zero Thursday published their detailed findings.

According to the report, Milan-based RCS Lab created the spyware. The firm’s website says it provides “law enforcement agencies worldwide with cutting-edge technological solutions and technical support in the field of lawful interception”. It offers tracking systems for voice, data, and more. The company has been doing this for more than twenty years and handles 10,000 intercepted targets daily in Europe.


Google identifies Android and iOS users as victims of this spyware

Google has found that RCS Lab or its clients are using its products to spy on private messages and contacts of mobile users. The company could identify victims of the spyware in Italy and Kazakhstan. The spyware campaigns use a variety of tactics, “including atypical drive-by downloads as initial infection vectors”.

The target is first sent a unique link to get them to download and install a malicious app. Whenever possible, the attackers also work with the target’s internet service provider to trick them. Once on the phone, the malicious app can carry out a variety of exploits to spy on the victim.

Google says any of the malicious apps used in this spyware campaign were never available through the Play Store. The company also adds that the iOS counterparts of these apps were likely never available on the App Store either. Nonetheless, the company has notified the affected Android users and implemented changes in Google Play Protect to protect all users. An Apple spokesperson also confirmed that the company has “revoked all known accounts and certificates” associated with this campaign.


Even though Google has taken the necessary steps against this spyware campaign, the company says it is “a good reminder that attackers do not always use exploits to achieve the permissions they need. Basic infection vectors and drive-by downloads still work and can be very efficient with the help of local ISPs”. You can find the technical tidbits of this finding here.

RCL Lab blamed its customers

RCS Lab has expectedly distanced itself from the allegations and blamed its customer for any wrongdoing. “RCS Lab personnel are not exposed, nor participate in any activities conducted by the relevant customers,” it said in a statement to Reuters. The company condemned any abuse of its products. It reiterated that its products and services “comply with European rules and help law enforcement agencies investigate crimes.”

Nonetheless, as the Reuters report notes, the global industry making spyware for governments is growing. Not long ago, Israeli surveillance firm NSO came into the limelight for aiding multiple governments to spy on journalists and activists using its Pegasus spyware.


Interestingly, Google found that RCS Lab had collaborated with the defunct Italian spy firm Hacking Team in the past. This company also created spyware products for governments to tap into people’s phones and computers. A major hack in 2015 revealed numerous internal documents and the company went bust.