Skip to main content

iPhone users targeted by Italian spyware, says new report

Iphone 13 Pro Ios 15 Hero
Iphone 13 Pro Ios 15 Hero (Image credit: Christine Romero-Chan / iMore)

What you need to know

  • A new report says iOS users have been targeted by spyware.
  • Google says an Italian company used spyware to target victims in Italy and Kazakhstan.
  • Apple has reportedly revoked all known accounts and certificates associated with the campaign.

A new report claims an Italian-based company's spyware has been used to target iPhone users in Italy and Kazakhstan.

In a report from Google's Threat Analysis Group the company writes:

Today, alongside Google's Project Zero, we are detailing capabilities we attribute to RCS Labs, an Italian vendor that uses a combination of tactics, including atypical drive-by downloads as initial infection vectors, to target mobile users on both iOS and Android. We have identified victims located in Italy and Kazakhstan.

The campaign used a unique link sent to a target, which would attempt to get users on both Android and iOS to install a malicious app, and in some cases working with the target's mobile carrier to disable their data, before then sending a similar malicious link via SMS in order to "fix" the issue.

iOS users were also targeted with a "drive-by exploit":

To distribute the iOS application, attackers simply followed Apple instructions on how to distribute proprietary in-house apps to Apple devices and used the itms-services protocol with the following manifest file and using com.ios.Carrier as the identifier.

The company was able to satisfy Apple's iOS code signing requirements by enrolling in Apple's Developer Enterprise Program, such apps can be sideloaded onto devices and don't need to be installed by Apple's App Store.

Apple told iMore that the company has revoked all known accounts and certificates associated with the hacking campaign, indicating it should hopefully not be a threat to other users going forward. Apple has also patched the exploits in iOS 15. The company has previously warned against the dangers of sideloading apps on its iOS ecosystem and the impact that could have on users, citing a similar attack using its Enterprise Developer Program as an example of its dangers.

RCS Lab told the outlet it had no connection to the activities of any of its customers, in a defense similar to that used by NSO over its own Pegasus spyware scandal. RCS Lab sells its spy tools to other agencies, listing European law enforcement agencies amongst its clients. As noted, many of these attacks against victims were carried out in conjunction with their ISPs, suggesting an official connection between those internet service providers or carriers and agencies using the spyware.

Stephen Warwick
Stephen Warwick

Stephen Warwick has written about Apple for five years at iMore and previously elsewhere. He covers all of iMore's latest breaking news regarding all of Apple's products and services, both hardware and software. Stephen has interviewed industry experts in a range of fields including finance, litigation, security, and more. He also specializes in curating and reviewing audio hardware and has experience beyond journalism in sound engineering, production, and design.

Before becoming a writer Stephen studied Ancient History at University and also worked at Apple for more than two years. Stephen is also a host on the iMore show, a weekly podcast recorded live that discusses the latest in breaking Apple news, as well as featuring fun trivia about all things Apple.