A spyware vendor called RCS Labs has been caught targeting people in Italy and Kazakhstan, according to Google’s Threat Analysis Group (TAG).

TAG says that RCS Labs targeted Android and iOS devices with its spyware. According to the group, “All campaigns TAG observed originated with a unique link sent to the target. Once clicked, the page attempted to get the user to download and install a malicious application on either Android or iOS.”

According to TAG, the malicious links appear to have been presented in two different ways. One appeared as an app that could be used to restore a victim’s mobile data connection, and the other was a messaging app.

The app used would only work if someone had actually lost internet access on their phone. TAG suggests that “in some cases, we believe the actors worked with the target’s ISP to disable the target’s mobile data connectivity.” The attacks would then proceed based on what kind of phone the target was using. On an iPhone, the spyware exploited six different vulnerabilities. Two of these vulnerabilities were zero-day. On an Android phone, the app was designed to look like a legitimate Samsung app. In reality, TAG believes that RCS Labs used command-and-control infrastructure to remotely download and execute exploits.

The malicious apps were not delivered via the App Store or Google Play Store. TAG says that RCS Labs used features built into iOS and Android that allowed users to “sideload” software.

“This campaign is a good reminder that attackers do not always use exploits to achieve the permissions they need,” TAG says. “Basic infection vectors and drive by downloads still work and can be very efficient with the help from local ISPs.”

Story via PC Magazine