Report claims Milan-based RCS Lab developed tools to spy on private messages and contacts of targeted devices

The report said that hacking tools were used to spy on both Apple and Android smartphones in Italy and Kazakhstan.
The report said that hacking tools were used to spy on both Apple and Android smartphones in Italy and Kazakhstan. Photograph: Alexander Spatari/Getty Images

An Italian company’s hacking tools were used to spy on Apple and Android smartphones in Italy and Kazakhstan, Alphabet Inc’s Google said in a new report.

Milan-based RCS Lab, whose website claims European law enforcement agencies as clients, developed tools to spy on private messages and contacts of the targeted devices, the report said.

European and American regulators have been weighing potential new rules over the sale and import of spyware.

“These vendors are enabling the proliferation of dangerous hacking tools and arming governments that would not be able to develop these capabilities in-house,” Google said.

The governments of Italy and Kazakhstan did not immediately respond to requests for comment. An Apple spokesperson said the company had revoked all known accounts and certificates associated with this hacking campaign.

RCS Lab said its products and services comply with European rules and help law enforcement agencies investigate crimes.

“RCS Lab personnel are not exposed, nor participate in any activities conducted by the relevant customers,” it told Reuters in an email, adding it condemned any abuse of its products.

Google said it had taken steps to protect users of its Android operating system and alerted them about the spyware, known as Hermit.

The global industry making spyware for governments has been growing, with more companies developing interception tools for law enforcement. Anti-surveillance activists accuse them of aiding governments that in some cases use such tools to crack down on human rights and civil rights.

The industry came under a global spotlight when the Israeli surveillance firm NSO’s Pegasus spyware was in recent years found to have been used by multiple governments to spy on journalists, activists, and dissidents.

While RCS Lab’s tool may not be as stealthy as Pegasus, it can still read messages and view passwords, said Bill Marczak, a security researcher with digital watchdog Citizen Lab.

“This shows that even though these devices are ubiquitous, there’s still a long way to go in securing them against these powerful attacks,” he added.

Google researchers found RCS Lab had previously collaborated with the controversial, defunct Italian spy firm Hacking Team, which had similarly created surveillance software for foreign governments to tap into phones and computers.

Hacking Team went bust after it became a victim of a major hack in 2015 that led to a disclosure of numerous internal documents.

In some cases, Google said it believed hackers using RCS spyware worked with the target’s internet service provider, which suggests they had ties to government-backed actors, said Billy Leonard, a senior researcher at Google.

Evidence suggests Hermit was used in a predominantly Kurdish region of Syria, the mobile security company said.

Analysis of Hermit showed that it can be employed to gain control of smartphones, recording audio, redirecting calls, and collecting data such as contacts, messages, photos and location, Lookout researchers said.

Google and Lookout noted the spyware spreads by getting people to click on links in messages sent to targets.

“In some cases, we believe the actors worked with the target’s ISP (internet service provider) to disable the target’s mobile data connectivity,” Google said.

“Once disabled, the attacker would send a malicious link via SMS asking the target to install an application to recover their data connectivity.”

When not masquerading as a mobile internet service provider, the cyber spies would send links pretending to be from phone makers or messaging applications to trick people into clicking, researchers said.

“Hermit tricks users by serving up the legitimate webpages of the brands it impersonates as it kickstarts malicious activities in the background,” Lookout researchers said.

Google said it has warned Android users targeted by the spyware and ramped up software defences. Apple told AFP it has taken steps to protect iPhone users.

Google’s threat team is tracking more than 30 companies that sell surveillance capabilities to governments, according to the Alphabet-owned tech titan.

“The commercial spyware industry is thriving and growing at a significant rate,” Google said.