Google’s Alphabet Inc said in a new report that hacking tools of an Italian company were used to spy on Apple and Android smartphones in Italy and Kazakhstan.
The Milan-based RCS Lab, whose website claims European law enforcement agencies as clients, has developed tools to spy on the private messages and contacts of targeted devices, the report said.
European and US regulators were weighing potential new rules on the sale and import of spyware.
“These vendors enable the spread of dangerous hacking tools and arm governments that would not be able to develop these capabilities internally,” Google said.
The governments of Italy and Kazakhstan did not immediately respond to requests for comment. An Apple spokesperson said the company has removed all known accounts and certificates associated with this hacking campaign.
RCS Lab said its products and services comply with European rules and help law enforcement agencies investigate crimes.
“RCS Lab personnel are not exposed and are not involved in any activities of the customers concerned,” she told Reuters in an email, adding that she condemned any misuse of its products.
Google said it took steps to protect users of its Android operating system and alerted them about the spyware known as Hermit.
The global industry that manufactures spyware for governments is growing, with more companies developing interception tools for law enforcement. Anti-surveillance activists accuse them of helping governments that in some cases use such tools to suppress human and civil rights.
The industry came under the spotlight globally when it emerged in recent years that NSO’s Pegasus spyware has been used by several governments to spy on journalists, activists and dissidents.
Although the RCS Lab tool may not be as stealthy as Pegasus, it can still read messages and display passwords, said Bill Marczak, a security researcher at Citizen Lab.
“It shows that while these devices are ubiquitous, there is still a long way to go to secure them against these powerful attacks,” he added.
On its website, RCS Lab describes itself as a maker of “lawful intercept” technologies and services including voice, data collection, and “tracking systems”. It says it deals with 10,000 intercepted targets per day in Europe alone.
Google researchers found that RCS Lab previously collaborated with the controversial Italian spying company, Hacking Team, which similarly created surveillance software for foreign governments to take advantage of phones and computers.
The hacking team went bankrupt after becoming the victim of a major hack in 2015 that exposed several internal documents.
Billy Leonard, a senior researcher at Google, said that in some cases, Google said it believed hackers using RCS spyware worked with the target ISP, suggesting they had ties to government-backed actors.
The mobile security company said evidence indicated that Hermit was used in a predominantly Kurdish area of Syria.
Lookout researchers said Hermit’s analysis showed it could be used to control smartphones, record voice, forward calls, and collect data such as contacts, messages, photos and location.
Both Google and Lookout noticed the spread of spyware by getting people to click on links in messages sent to targets.
“In some cases, we believe that actors worked with the target’s Internet Service Provider (ISP) to disrupt the target’s mobile data connection,” Google said.
Once disabled, the attacker sends a malicious link via SMS asking the target to install an app to restore their data connection.
Cyber spies, when not masquerading as a mobile Internet service provider, will send links pretending to be from phone makers or messaging apps to trick people into clicking on them, researchers said.
“Hermit deceives users by presenting legitimate web pages to brands that are impersonating themselves because they are launching malicious activity in the background,” the Lookout researchers said.
Google said it has warned Android users targeted by spyware and strengthened software defenses. Apple told AFP it had taken steps to protect iPhone users.
Google’s threat team tracks more than 30 companies that sell surveillance capabilities to governments, according to the Alphabet-owned tech giant.
“The commercial spyware industry is booming and growing at an exponential rate,” Google said.