NEWS: Meta Exposes Eight Firms Behind Spyware Attacks on iOS, Android, and Windows Devices

February 19, 2024


Meta Platforms’ Actions Against Surveillance-for-Hire Companies


Meta Platforms has taken action against eight surveillance-for-hire companies based in Italy, Spain, and the United Arab Emirates (U.A.E.), as per their Adversarial Threat Report for Q4 2023. The companies were reportedly involved in malicious activities, including the development of spyware aimed at iOS, Android, and Windows devices.


The malware developed by these companies had the ability to gather and access a wide range of device data, including information about the device itself, location data, photos, media, contacts, calendar entries, emails, SMS, and data from social media and messaging apps. The malware could also activate device microphones, cameras, and screenshot functions.


The companies implicated in these activities are Cy4Gate/ELT Group, RCS Labs, IPS Intelligence, Variston IT, TrueL IT, Protect Electronic Systems, Negg Group, and Mollitiam Industries. According to Meta Platforms, these companies also engaged in data scraping, social engineering, and phishing activities across a variety of platforms, including Facebook, Instagram, X (formerly Twitter), YouTube, Skype, GitHub, Reddit, Google, LinkedIn, Quora, Tumblr, VK, Flickr, TikTok, SnapChat, Gettr, Viber, Twitch, and Telegram.


Specific Malicious Activities


RCS Labs, owned by Cy4Gate, reportedly used a network of fake personas to trick users into providing their phone numbers and email addresses, and to click on fraudulent links for reconnaissance purposes. Facebook and Instagram accounts linked to Spanish spyware company Variston IT were used for exploit development and testing, including the sharing of malicious links. Reports suggest that Variston IT is in the process of shutting down its operations.


Meta Platforms also identified accounts used by Negg Group for testing spyware delivery, and by Mollitiam Industries, a Spanish company offering data collection services and spyware for Windows, macOS, and Android, for scraping public information.


Actions Against Coordinated Inauthentic Behavior (CIB)


Alongside these actions, Meta Platforms also removed over 2,000 accounts, Pages, and Groups from Facebook and Instagram due to Coordinated Inauthentic Behavior (CIB) originating from China, Myanmar, and Ukraine. The Chinese cluster targeted U.S. audiences with content criticizing U.S. foreign policy towards Taiwan and Israel and supporting Ukraine. The Myanmar network targeted local residents with articles praising the Burmese army and criticizing ethnic armed organizations and minority groups. The Ukrainian cluster used fake Pages and Groups to post content supporting Ukrainian politician Viktor Razvadovskyi and expressing support for the current government and criticism of the opposition in Kazakhstan.


Industry-wide Efforts to Curb Spyware Abuse


This action by Meta Platforms comes as part of a broader initiative involving a coalition of government and tech companies aiming to curb the abuse of commercial spyware for human rights abuses. As part of its countermeasures, Meta Platforms has introduced new features such as Control Flow Integrity (CFI) on Messenger for Android and VoIP memory isolation for WhatsApp to make exploitation more difficult and reduce the overall attack surface.


The Persistence of the Surveillance Industry


Despite these efforts, the surveillance industry continues to evolve and thrive in various forms. Last month, 404 Media, building on prior research from the Irish Council for Civil Liberties (ICCL) in November 2023, revealed a surveillance tool called Patternz. This tool utilizes real-time bidding (RTB) advertising data from popular apps like 9gag, Truecaller, and Kik to track mobile devices. The Israeli company behind Patternz, ISA, claims that the tool allows national security agencies to use real-time and historical user advertising data to detect, monitor, and predict user actions, security threats, and anomalies based on user behavior, location patterns, and mobile usage characteristics.


In addition, last week, Enea unveiled a previously unknown mobile network attack known as MMS Fingerprint.


The Use of Pegasus-maker NSO Group’s Alleged Techniques


According to some sources, the Pegasus-maker NSO Group is believed to have employed specific techniques, as stated in a contract they had with Ghana’s telecom regulator in 2015. The exact means used by the group are still somewhat unclear. However, Enea, a Swedish telecom security firm, has put forward a plausible theory.


The Role of Binary SMS in the Suspected Method


Enea suggests that the group likely used a unique form of SMS message known as binary SMS, specifically MM1_notification.REQ. This particular message informs the recipient’s device of an MMS (Multimedia Messaging Service) that is pending retrieval from the MMSC (Multimedia Messaging Service Center).


The Process of Fetching MMS


The process of fetching the MMS involves the utilization of MM1_retrieve.REQ and MM1_retrieve.RES. The former is an HTTP GET request directed to the URL address contained in the MM1_notification.REQ message.


The Significance of User Device Information


What makes this technique particularly interesting is the inclusion of user device information such as User-Agent (distinct from a web browser User-Agent string) and x-wap-profile in the GET request. This data essentially serves as a unique identifier for the device.


Understanding User-Agent and X-wap-profile


Enea explains that the User-Agent in this context is a string that typically identifies the device’s OS and model. The x-wap-profile, on the other hand, points to a User Agent Profile (UAProf) file that outlines the capabilities of a mobile handset.


Potential Exploitation of Device Information


This device information could potentially be used by a threat actor to deploy spyware. They could exploit specific vulnerabilities, customize their harmful payloads to suit the target device, or even design more efficient phishing campaigns. However, it’s important to note that there is currently no evidence to suggest this security loophole has been exploited in recent times.