article featured image


For many years, Google has been monitoring the activity of commercial spyware sellers and in conjunction with Google’s Project Zero,  discovered the fact that RCS Labs, an Italian vendor, utilizes unusual drive-by downloads as first infection vectors to target iOS and Android mobile users.

What Happened?

Every campaign that TAG was made aware of began with a one-of-a-kind link being sent to the target.

An example screenshot from one of the attacker controlled sites, www.fb-techsupport[.]com.


After the user clicked on the website, they were tricked into downloading and installing a malicious program on their mobile device using either Android or iOS.

After disabling the victim’s data connection, the attacker would send a malicious link to the target through SMS, requesting that they download a program in order to regain their data connectivity. Programs are sometimes disguised as messaging applications in order to avoid engagement by ISPs when this is not an option.

After having their Internet connection cut off with the assistance of their Internet service provider (ISP), victims of attacks that used drive-by downloads to infect multiple victims were prompted to install malicious apps (camouflaged as legitimate mobile carrier apps) in order to regain access to the Internet.

Seven of the nine zero-day vulnerabilities our Threat Analysis Group discovered in 2021 fall into this category: developed by commercial providers and sold to and used by government-backed actors. TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors.

Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits. This makes the Internet less safe and threatens the trust on which users depend.

Today, alongside Google’s Project Zero, we are detailing capabilities we attribute to RCS Labs, an Italian vendor that uses a combination of tactics, including atypical drive-by downloads as initial infection vectors, to target mobile users on both iOS and Android. We have identified victims located in Italy and Kazakhstan.


In the event that the attackers were unable to communicate directly with the ISPs of their targets, they would mask the malicious apps as harmless chat programs.

They encouraged people to use them by creating a fake support website that pretended to assist prospective victims in regaining access to their suspended accounts on Facebook, Instagram, or WhatsApp.

However, although clicking on the URLs for Facebook and Instagram would enable users to install the real applications, clicking on the link for WhatsApp would result in their downloading a malicious version of the actual WhatsApp program.

According to information provided by BleepingComputer, the malicious applications that were installed on the smartphones of the victims were not downloadable from either the Apple App Store or Google Play. In spite of this, the attackers sideloaded the iOS version (which was certified with an enterprise certificate) and then prompted the victim to permit the installation of applications from unknown sources.

The iOS software that was found to be involved in these assaults came with multiple built-in vulnerabilities, which gave it the ability to steal data and increase its privileges on the device that had been hacked. It includes a wrapper for a generic privilege escalation attack, which is put to use by six separate vulnerabilities. A minimalist agent that is able to exfiltrate interesting files from the device, such as the Whatsapp database, is also included in it, that bundles six different exploits: CVE-2018-4344 , CVE-2019-8605, CVE-2020-3837, CVE-2020-9907CVE-2021-30883, and CVE-2021-30983.

This campaign serves as a useful reminder that attackers do not necessarily rely on vulnerabilities in order to get the rights they need.

These companies are making it possible for malicious hacking tools to become more widely available and are equipping countries that would not be able to create these capabilities on their own.

The Internet is exposed to a significant danger whenever a vendor secretly hoards zero-day vulnerabilities, particularly in the event that the firm is itself breached.

If you liked this article follow us on LinkedInTwitterYouTubeFacebook, and Instagram to keep up to date with everything cybersecurity.

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.

Leave a Reply

Your email address will not be published. Required fields are marked *

Protect your business by doing more with less

Book a Demo