Google's Threat Analysis Group (TAG) spotted an Italian spyware vendor getting help from some ISPs for infecting Android and iOS users with commercial surveillance tools. The targeted users are from Italy and Kazakhstan.

A spyware vendor working with ISPs

The spyware vendor is identified as RCS Labs whose activity is at present tracked by Google’s TAG. 
  • The attacks used drive-by-downloads to infect victims who were urged to install malicious apps that were camouflaged as legitimate mobile carrier apps to get back online after their ISP cut the internet, implying actors work with the target's ISP to disable the internet. 
  • Once disabled, the attacker would send a malicious link via SMS asking victims to install an app that masqueraded as a mobile carrier application to re-enable the internet.

Alternate attack method

If an ISP could not be involved, the attackers disguise the malicious apps as messaging applications, which the users need to download for further support.
  • The attackers provided a page in Italian to download either Messenger, Instagram, or WhatsApp. 
  • By examining the code of the page, experts only spotted WhatsApp download links leading to the attacker's malware for Android and iOS users.

Targeting iOS users

The malicious apps deployed on the victim's devices are not available on the App Store or Google Play. However, the iOS version of the app followed the method suggested by Apple to distribute proprietary in-house apps to Apple devices.
  • The application is signed with a valid certificate that abides by all code signing requirements on any iOS device.
  • The iOS app came with various built-in exploits to escalate privileges on the infected device and steal files. It has a generic privilege escalation exploit wrapper that is used by six different exploits.
  • The exploits concern CVE-2018-4344, CVE-2019-8605, CVE-2020-3837, and CVE-2020-9907, also including two zero-day vulnerabilities CVE-2021-30883 and CVE-2021-30983.

Further, the app has a minimalist agent only to find and steal files of peculiar interest from the device, such as a WhatsApp database.

Targeting Android users

The malicious Android app is observed to have no bundled exploits, it pretends to be the legitimate Samsung App. It is believed to be the same Hermit spyware, detected a few days ago.


Cybercriminals working with the ISP providers to target users' should be perceived as a sensitive matter. Smartphone users are suggested to stay alert while receiving SMS offering apps to install. Also, one must check for the legitimacy of apps before installing an app.
Cyware Publisher