For many years, Google has been monitoring the activity of commercial spyware sellers and in conjunction with Google’s Project Zero, discovered the fact that RCS Labs, an Italian vendor, utilizes unusual drive-by downloads as first infection vectors to target iOS and Android mobile users.
Every campaign that TAG was made aware of began with a one-of-a-kind link being sent to the target.
After the user clicked on the website, they were tricked into downloading and installing a malicious program on their mobile device using either Android or iOS.
After disabling the victim’s data connection, the attacker would send a malicious link to the target through SMS, requesting that they download a program in order to regain their data connectivity. Programs are sometimes disguised as messaging applications in order to avoid engagement by ISPs when this is not an option.
After having their Internet connection cut off with the assistance of their Internet service provider (ISP), victims of attacks that used drive-by downloads to infect multiple victims were prompted to install malicious apps (camouflaged as legitimate mobile carrier apps) in order to regain access to the Internet.
Seven of the nine zero-day vulnerabilities our Threat Analysis Group