More news concerning the notorious spyware group NSO Group Technologies was released last week in discussions with European legislators. At least five EU countries have been using its powerful Pegasus surveillance malware raising questions about how commercially-available spyware is increasingly being abused.
The capabilities of Pegasus are something out of an Orwellian novel. The software allows governments to hack into iPhones and Android phones; turning on microphones and cameras, recording text messages, call logs, locations, and browsing history.
Yet the hearings last week revealed that the for-profit spyware industry goes beyond a single company.
On Thursday, Google’s Threat Analysis Group and Project Zero vulnerability analysis team published findings about the iOS version of a spyware product attributed to the Italian developer RCS Labs.
Google researchers say they detected victims of the spyware in Italy and Kazakhstan on both Android and iOS devices.
“Google has been tracking the activities of commercial spyware vendors for years, and in that time we have seen the industry rapidly expand from a few vendors to an entire ecosystem,” TAG security engineer Clement Lecigne said.
TAG says it currently tracks more than 30 spyware makers that offer an array of technical capabilities and levels of sophistication to government-backed clients.
In both Android and iOS attacks, attackers may have simply tricked targets into downloading what appeared to be a messaging app by distributing a malicious link for victims to click.
In at least one instance, Google found that attackers may have been working with local ISPs to cut off a specific user’s mobile data connection, send them a malicious download link over SMS, and convince them to install the fake My Vodafone app over Wi-Fi with the promise that this would restore their cell service.
The research shows that while not all actors are as successful or well known as a company like NSO Group, many small and midsize players together in a burgeoning industry are creating real risk for internet users worldwide.