{
	"id": "14203d46-b6e5-4a2a-8ee9-6f3180adab12",
	"created_at": "2026-04-06T01:32:26.056867Z",
	"updated_at": "2026-04-10T03:24:30.141729Z",
	"deleted_at": null,
	"sha1_hash": "039f6f89c4a742726b0f71545380e8832e415861",
	"title": "Spyware vendor targets users in Italy and Kazakhstan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 60538,
	"plain_text": "Spyware vendor targets users in Italy and Kazakhstan\r\nBy Benoit Sevens\r\nPublished: 2022-06-23 · Archived: 2026-04-06 00:52:03 UTC\r\nJun 23, 2022\r\n8 min read\r\nB\r\nBenoit Sevens\r\nThreat Analysis Group\r\nC\r\nClement Lecigne\r\nThreat Analysis Group\r\nGoogle has been tracking the activities of commercial spyware vendors for years, and taking steps to protect\r\npeople. Just last week, Google testified at the EU Parliamentary hearing on “Big Tech and Spyware” about the\r\nwork we have done to monitor and disrupt this thriving industry.\r\nSeven of the nine zero-day vulnerabilities our Threat Analysis Group discovered in 2021 fall into this category:\r\ndeveloped by commercial providers and sold to and used by government-backed actors. TAG is actively tracking\r\nmore than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance\r\ncapabilities to government-backed actors.\r\nOur findings underscore the extent to which commercial surveillance vendors have proliferated capabilities\r\nhistorically only used by governments with the technical expertise to develop and operationalize exploits. This\r\nmakes the Internet less safe and threatens the trust on which users depend.\r\nToday, alongside Google’s Project Zero, we are detailing capabilities we attribute to RCS Labs, an Italian vendor\r\nthat uses a combination of tactics, including atypical drive-by downloads as initial infection vectors, to target\r\nmobile users on both iOS and Android. We have identified victims located in Italy and Kazakhstan.\r\nCampaign Overview\r\nAll campaigns TAG observed originated with a unique link sent to the target. Once clicked, the page attempted to\r\nget the user to download and install a malicious application on either Android or iOS. In some cases, we believe\r\nthe actors worked with the target’s ISP to disable the target’s mobile data connectivity. Once disabled, the attacker\r\nwould send a malicious link via SMS asking the target to install an application to recover their data connectivity.\r\nhttps://blog.google/threat-analysis-group/italian-spyware-vendor-targets-users-in-italy-and-kazakhstan/\r\nPage 1 of 5\n\nWe believe this is the reason why most of the applications masqueraded as mobile carrier applications. When ISP\r\ninvolvement is not possible, applications are masqueraded as messaging applications.\r\nAn example screenshot from one of the attacker controlled sites, www.fb-techsupport[.]com.\r\nThe page, in Italian, asks the user to install one of these applications in order to recover their account. Looking at\r\nthe code of the page, we can see that only the WhatsApp download links are pointing to attacker controlled\r\ncontent for Android and iOS users.\r\niOS Drive-By\r\nTo distribute the iOS application, attackers simply followed Apple instructions on how to distribute proprietary in-house apps to Apple devices and used the itms-services protocol with the following manifest file and using\r\ncom.ios.Carrier as the identifier.\r\nThe resulting application is signed with a certificate from a company named 3-1 Mobile SRL (Developer ID:\r\n58UP7GFWAA). The certificate satisfies all of the iOS code signing requirements on any iOS devices because the\r\ncompany was enrolled in the Apple Developer Enterprise Program.\r\nThese apps still run inside the iOS app sandbox and are subject to the exact same technical privacy and security\r\nenforcement mechanisms (e.g. code side loading) as any App Store apps. They can, however, be sideloaded on any\r\ndevice and don't need to be installed via the App Store. We do not believe the apps were ever available on the App\r\nStore.\r\nThe app is broken up into multiple parts. It contains a generic privilege escalation exploit wrapper which is used\r\nby six different exploits. It also contains a minimalist agent capable of exfiltrating interesting files from the\r\ndevice, such as the Whatsapp database.\r\nThe app we analyzed contained the following exploits:\r\nCVE-2018-4344 internally referred to and publicly known as LightSpeed.\r\nCVE-2019-8605 internally referred to as SockPort2 and publicly known as SockPuppet\r\nCVE-2020-3837 internally referred to and publicly known as TimeWaste.\r\nCVE-2020-9907 internally referred to as AveCesare.\r\nCVE-2021-30883 internally referred to as Clicked2, marked as being exploited in-the-wild by Apple in\r\nOctober 2021.\r\nCVE-2021-30983 internally referred to as Clicked3, fixed by Apple in December 2021.\r\nAll exploits used before 2021 are based on public exploits written by different jailbreaking communities. At the\r\ntime of discovery, we believe CVE-2021-30883 and CVE-2021-30983 were two 0-day exploits. In collaboration\r\nwith TAG, Project Zero has published the technical analysis of CVE-2021-30983.\r\nAndroid Drive-By\r\nInstalling the downloaded APK requires the victim to enable installation of applications from unknown sources.\r\nAlthough the applications were never available in Google Play, we have notified the Android users of infected\r\nhttps://blog.google/threat-analysis-group/italian-spyware-vendor-targets-users-in-italy-and-kazakhstan/\r\nPage 2 of 5\n\ndevices and implemented changes in Google Play Protect to protect all users.\r\nAndroid Implant\r\nThis analysis is based on fe95855691cada4493641bc4f01eb00c670c002166d6591fe38073dd0ea1d001 that was\r\nuploaded to VirusTotal on May 27. We have not identified many differences across versions. This is the same\r\nmalware family that was described in detail by Lookout on June 16.\r\nThe Android app disguises itself as a legitimate Samsung application via its icon:\r\nWhen the user launches the application, a webview is opened that displays a legitimate website related to the icon.\r\nUpon installation, it requests many permissions via the Manifest file:\r\nThe configuration of the application is contained in the res/raw/out resource file. The configuration is encoded\r\nwith a 105-byte XOR key. The decoding is performed by a native library libvoida2dfae4581f5.so that contains a\r\nfunction to decode the configuration. A configuration looks like the following:\r\nOlder samples decode the configuration in the Java code with a shorter XOR key.\r\nThe C2 communication in this sample is via Firebase Cloud Messaging, while in other samples, Huawei\r\nMessaging Service has been observed in use. A second C2 server is provided for uploading data and retrieving\r\nmodules.\r\nWhile the APK itself does not contain any exploits, the code hints at the presence of exploits that could be\r\ndownloaded and executed. Functionality is present to fetch and run remote modules via the DexClassLoader API.\r\nThese modules can communicate events to the main app. The names of these events show the capabilities of these\r\nmodules:\r\nTAG did not obtain any of the remote modules.\r\nProtecting Users\r\nThis campaign is a good reminder that attackers do not always use exploits to achieve the permissions they need.\r\nBasic infection vectors and drive by downloads still work and can be very efficient with the help from local ISPs.\r\nTo protect our users, we have warned all Android victims, implemented changes in Google Play Protect and\r\ndisabled Firebase projects used as C2 in this campaign.\r\nHow Google is Addressing the Commercial Spyware Industry\r\nWe assess, based on the extensive body of research and analysis by TAG and Project Zero, that the commercial\r\nspyware industry is thriving and growing at a significant rate. This trend should be concerning to all Internet users.\r\nThese vendors are enabling the proliferation of dangerous hacking tools and arming governments that would not\r\nbe able to develop these capabilities in-house. While use of surveillance technologies may be legal under national\r\nor international laws, they are often found to be used by governments for purposes antithetical to democratic\r\nvalues: targeting dissidents, journalists, human rights workers and opposition party politicians.\r\nhttps://blog.google/threat-analysis-group/italian-spyware-vendor-targets-users-in-italy-and-kazakhstan/\r\nPage 3 of 5\n\nAside from these concerns, there are other reasons why this industry presents a risk to the Internet. While\r\nvulnerability research is an important contributor to online safety when that research is used to improve the\r\nsecurity of products, vendors stockpiling zero-day vulnerabilities in secret poses a severe risk to the Internet\r\nespecially if the vendor gets compromised. This has happened to multiple spyware vendors over the past ten years,\r\nraising the specter that their stockpiles can be released publicly without warning.\r\nThis is why when Google discovers these activities, we not only take steps to protect users, but also disclose that\r\ninformation publicly to raise awareness and help the entire ecosystem, in line with our historical commitment to\r\nopenness and democratic values.\r\nTackling the harmful practices of the commercial surveillance industry will require a robust, comprehensive\r\napproach that includes cooperation among threat intelligence teams, network defenders, academic researchers,\r\ngovernments and technology platforms. We look forward to continuing our work in this space and advancing the\r\nsafety and security of our users around the world.\r\nIndicators of Compromise\r\nSample hashes\r\nAPK available on VirusTotal:\r\ne38d7ba21a48ad32963bfe6cb0203afe0839eca9a73268a67422109da282eae3\r\nfe95855691cada4493641bc4f01eb00c670c002166d6591fe38073dd0ea1d001\r\n243ea96b2f8f70abc127c8bc1759929e3ad9efc1dec5b51f5788e9896b6d516e\r\na98a224b644d3d88eed27aa05548a41e0178dba93ed9145250f61912e924b3e9\r\nc26220c9177c146d6ce21e2f964de47b3dbbab85824e93908d66fa080e13286f\r\n0759a60e09710321dfc42b09518516398785f60e150012d15be88bbb2ea788db\r\n8ef40f13c6192bd8defa7ac0b54ce2454e71b55867bdafc51ecb714d02abfd1a\r\n9146e0ede1c0e9014341ef0859ca62d230bea5d6535d800591a796e8dfe1dff9\r\n6eeb683ee4674fd5553fdc2ca32d77ee733de0e654c6f230f881abf5752696ba\r\nDrive-by download domains\r\nfb-techsupport[.]com\r\n119-tim[.]info\r\n133-tre[.]info\r\n146-fastweb[.]info\r\n155-wind[.]info\r\n159-windtre[.]info\r\niliad[.]info\r\nkena-mobile[.]info\r\nmobilepays[.]info\r\nmy190[.]info\r\nposte-it[.]info\r\nho-mobile[.]online\r\nhttps://blog.google/threat-analysis-group/italian-spyware-vendor-targets-users-in-italy-and-kazakhstan/\r\nPage 4 of 5\n\nC2 domains\r\nproject1-c094e[.]appspot[.]com\r\nfintur-a111a[.]appspot[.]com\r\nsafekeyservice-972cd[.]appspot[.]com\r\ncomxdjajxclient[.]appspot[.]com\r\ncomtencentmobileqq-6ffb5[.]appspot[.]com\r\nC2 IPs\r\n93[.]39[.]197[.]234\r\n45[.]148[.]30[.]122\r\n2[.]229[.]68[.]182\r\n2[.]228[.]150[.]86\r\nRelated stories\r\n.\r\nSource: https://blog.google/threat-analysis-group/italian-spyware-vendor-targets-users-in-italy-and-kazakhstan/\r\nhttps://blog.google/threat-analysis-group/italian-spyware-vendor-targets-users-in-italy-and-kazakhstan/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.google/threat-analysis-group/italian-spyware-vendor-targets-users-in-italy-and-kazakhstan/"
	],
	"report_names": [
		"italian-spyware-vendor-targets-users-in-italy-and-kazakhstan"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439146,
	"ts_updated_at": 1775791470,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/039f6f89c4a742726b0f71545380e8832e415861.pdf",
		"text": "https://archive.orkl.eu/039f6f89c4a742726b0f71545380e8832e415861.txt",
		"img": "https://archive.orkl.eu/039f6f89c4a742726b0f71545380e8832e415861.jpg"
	}
}