AppleInsider is supported by its audience and can earn commissions as an Amazon Associate and Affiliate on qualifying purchases. These partner relationships do not affect our editorial content.
Google has revealed that Android and iOS users in Europe were tricked into installing a malicious application that would then steal personal information from the device.
A report published Thursday by Google detailed findings of the ongoing investigation into commercial spyware vendors as part of the Project Zero campaign.
The company named Italy’s RCS Labs as the likely party responsible for the attacks. Google claims that RCS Labs used “a combination of tactics” to attack users in Italy and Kazakhstan with what is considered a “drive-by download attack”.
A message would claim that the victim can no longer access their account or services and must log in via the provided link to restore the service. The installation links sent by the nefarious actors pretended to be notifications from an Internet service provider or messaging application.
After the victim connected to the linked site, they were presented with real logos and realistic prompts to reset their account, with the link to download the malicious application behind official-looking buttons and icons. For example, one of the many variants of the app used in the installed campaign had a Samsung logo as its icon and allegedly pointed to a fake Samsung website.
The Android version of the attack used an .apk file. Since Android apps can be installed freely from outside the Google Play Store, there was no need for the actors to convince victims to install a special certificate.
Victims with Android devices were then granted many permissions to the attackers such as access to network states, user credentials, contact information, read external storage devices that were provided.
Victims using iOS were then instructed to install a corporate certificate. If the user followed the process, the properly signed certificate allowed the malicious app to bypass App Store protections after sideloading.
The iOS version of the malicious application used six different system exploits to extract information from the device, splitting the app into multiple parts, each using a specific exploit. Four of these exploits were written by the jailbreak community to bypass the authentication layer and unlock full root access to the system.
Due to iOS sandboxing, the amount of extracted data was limited in size. While data such as the local database of the WhatsApp messaging application was obtained from the victims, sandboxing prevented the app from directly contacting and directly stealing information from other apps.
Google has warned Android victims of this campaign. The company also made changes to Google Play Protect and disabled certain Firebase projects used by the attackers.
Apple has patched the exploits. Solutions for the entire exploit chain came with iOS 15.2.
Apple users have long been targeted by nefarious actors. In January 2022, government agents managed to get malware onto the Mac devices of pro-democracy activists. More recently, in April, a phishing attack on a victim’s iCloud account resulted in $650,000 in assets being stolen.
iOS or iPadOS device owners are protected from these types of attacks if they don’t install certificates outside of their organization. It is also good practice for any user to contact a company directly using clear communication methods established before the message if they have questions about a call to action made through messaging services.
Updated June 24, 7:00 AM ET: Updated confirming Apple’s patching efforts to stop the entire exploit chain.