Google Research: Last Year’s Mobile Vulnerabilities Exploited for Spying

Italian RCS Lab Selling Surveillance Software to Foreign Governments

According to a blog post by Google, most of the mobile device zero-day vulnerabilities discovered by the company last year are being exploited by software companies. They produce surveillance and espionage tools that they sell to governments of different countries. Google has attached some significant pieces of the malware code into their report.

The giant reveals that over 30 firms manufacture spyware exploiting seven out of nine zero-day vulnerabilities Google previously warned about. The beneficiaries of the developed malware are governmental agencies that purchase the invasive programs from private companies.

The most audacious entity among those thirty is definitely the Italian company RCS Lab S.p.A. based in Milan. The firm openly admits that it works for governmental law enforcement agencies. Thus, it has developed invasive instances of spyware that can work on Android and iOS devices. RCS Lab products were or are used by the governments of Italy and Kazakhstan.

Lookout Inc., a cybersecurity company, conducted a research not long ago that revealed a connection between the RCS Lab and Tykelab companies and Hermit – self-assembling mobile spyware that downloads itself by modules. This surveillance program has been deployed in Kazakhstan, Syria, and Italy. Google research confirms these findings.

While Lookout Inc. noted that spyware is rarely used solely for law enforcement (let alone what law enforcement is remains a question,) and once such tools are created, they most certainly will end up in the hands of malefactors, Google showed concerns about a shift in spyware accessibility distribution. What earlier was a prerogative of special agencies, nowadays governments buy from private organizations.

RCS Lab S.p.A. does not hide its speciality, admitting that its operations area is “lawful interception.” The firm has been active for almost thirty years and positions itself as a company “behind a safer world.” Besides Italy, RCS Lab products have been deployed in the following countries: Chile, Pakistan, Mongolia, Bangladesh, Myanmar, Vietnam, Turkmenistan, Syria, and now Kazakhstan.

Zero-day vulnerabilities are program or equipment flaws that went unnoticed before the product release. As soon as these defects are found, they are usually patched by downloadable software fixes. However, before being noticed by product developers, zero-day vulnerabilities can be found by hackers. That would put users of the product in serious jeopardy. Proven hacker attacks that can play a card of a certain vulnerability are called vulnerability exploits.