Meta warns of 8 spyware companies targeting iOS, Android and Windows devices

Spyware Firms

Meta Platforms said it has taken a series of steps to curtail the malicious activities of eight different companies in Italy, Spain and the United Arab Emirates (UAE) active in the surveillance-for-hire industry.

The findings are part of his research Hostile Threats Report for the fourth quarter of 2023. The spyware targeted iOS, Android and Windows devices.

“Their various malware included capabilities to collect and access device information, location, photos and media, contacts, calendar, email, SMS, social media and messaging apps, and enable microphone, camera and screenshot functionality,” the company said.

The eight companies are Cy4Gate/ELT Group, RCS Labs, IPS Intelligence, Variston IT, TrueL IT, Protect Electronic Systems, Negg Group and Mollitiam Industries.

These companies also engaged in scraping, social engineering and phishing activities targeting a wide range of platforms such as Facebook, Instagram, X (formerly Twitter), YouTube, Skype, GitHub, Reddit, Google, LinkedIn, according to Meta. , Quora, Tumblr, VK, Flickr, TikTok, SnapChat, Gettr, Viber, Twitch and Telegram.

Specifically, a network of fictitious personas linked to Cy4Gate-owned RCS Labs allegedly tricked users into providing their phone numbers and email addresses, in addition to clicking on fake links to conduct reconnaissance.

Another set of now-deleted Facebook and Instagram accounts linked to Spanish spyware vendor Variston IT were used to develop and test exploits, including sharing malicious links. Last week, reports arose that the company will cease operations.


Meta also said it has identified accounts used by Negg Group to test the delivery of its spyware, as well as by Mollitiam Industries, a Spanish company that promotes a data collection service and spyware targeting Windows, macOS and Android, to obtain public information to collect.

Elsewhere, the social media giant has taken action against networks from China, Myanmar and Ukraine that engaged in coordinated inauthentic behavior (CIB), removing more than 2,000 accounts, pages and groups from Facebook and Instagram.

While the Chinese cluster targeted American audiences with content related to criticism of U.S. foreign policy toward Taiwan and Israel and its support for Ukraine, the Myanmar-based network targeted its own residents with original articles that Burmese military was praised and the ethnic armed organizations were discredited. Minority groups.

The third cluster is notable for its use of fake pages and groups to post content supporting Ukrainian politician Viktor Razvadovskyi, while also sharing “supportive commentary about the current government and critical commentary about the opposition” in Kazakhstan.

The development comes as a coalition of government and technology companies, including Meta, signed an agreement to curb the misuse of commercial spyware to commit human rights abuses.

As countermeasures, the company has introduced new features such as Control Flow Integrity (CFI) on Messenger for Android and VoIP memory isolation for WhatsApp, in an effort to make exploitation more difficult and reduce the overall attack surface.

That said, the surveillance industry continues to flourish in numerous, unexpected forms. Last month, 404 Media continued to build preliminary investigation of the Irish Council for Civil Liberties (ICCL) in November 2023 – unmasked called a surveillance tool Patternz that uses real-time bidding (RTB) advertising data collected from popular apps like 9gag, Truecaller and Kik to track mobile devices.

“Patternz enables national security agencies to use real-time and historical user-generated data to detect, monitor and predict user actions, security threats and anomalies based on user behavior, location patterns and mobile usage characteristics,” ISA, the Israeli company behind the product claimed on its website.

Last week, Enea put the finishing touches to a previously unknown mobile network attack known as MMS Fingerprint, which was allegedly used by Pegasus maker NSO Group. This information is contained in a 2015 contract between the company and Ghana’s telecoms regulator.


While the exact method used remains somewhat of a mystery, the Swedish telecom security company suspects it likely involves the use of MM1_notification.REQ, a special type of SMS message called a binary SMS, which notifies the receiving device of an MMS that waiting for pickup from the Multimedia Messaging Service Center (MMSC).

The MMS is then retrieved using MM1_retrieve.REQ and MM1_retrieve.RES, the first being an HTTP GET request to the URL address in the MM1_notification.REQ message.

The striking thing about this approach is that information about the user’s device, such as User-Agent (other than a User-Agent string in a web browser) and x-wap profile is embedded in the GET request and therefore acts as a kind of fingerprint.

“The (MMS) User-Agent is a string that typically identifies the operating system and the device,” says Enea said. “x-wap-profile refers to a UAProf (User Agent Profile) file that describes the capabilities of a mobile phone.”

A threat actor looking to deploy spyware can use this information to exploit specific vulnerabilities, tailor their malicious payloads to the target device, or even create more effective phishing campaigns. That said, there is no evidence that this vulnerability has been exploited in the wild in recent months.

#Meta #warns #spyware #companies #targeting #iOS #Android #Windows #devices

Notify of
Inline Feedbacks
View all comments
Previous Post
LockBit Ransomware

LockBit Ransomware Darknet Domains Seized in Global Law Enforcement Raid

Next Post
Network Detection and Response (NDR)

How to Achieve the Best Risk-Based Alerts (Bye-Bye SIEM)

Related Posts