Meta Platforms said it has taken a series of measures to limit the malicious activities of eight different companies based in Italy, Spain and the United Arab Emirates (UAE) that operate in the surveillance-for-hire sector.
The findings are part of the Adversarial Threat Report for the fourth quarter of 2023. The spyware targeted iOS, Android and Windows devices.
“The various malware included functionality to collect and access device information, location, photos and media, contacts, calendar, email, SMS, social media and messaging apps, and enable microphone, camera and screenshot functionality,” he said. the company said.
The eight companies are Cy4Gate/ELT Group, RCS Labs, IPS Intelligence, Variston IT, TrueL IT, Protect Electronic Systems, Negg Group and Mollitiam Industries.
These companies, according to Meta, also engaged in scraping, social engineering and phishing activities that targeted a wide range of platforms such as Facebook, Instagram, X (formerly Twitter), YouTube, Skype, GitHub, Reddit, Google , LinkedIn, Quora, Tumblr, VK, Flickr, TikTok, SnapChat, Gettr, Viber, Twitch and Telegram.
Specifically, a network of fictitious characters linked to RCS Labs, owned by Cy4Gate, are said to have tricked users into providing their phone numbers and email addresses, as well as clicking on bogus links to conduct reconnaissance.
Another set of now-removed Facebook and Instagram accounts associated with Spanish spyware vendor Variston IT were used to develop and test exploits, including sharing malicious links. Reports surfaced last week that the company would shut down its operations.
Meta also said it identified accounts used by Negg Group to test the distribution of its spyware, as well as by Mollitiam Industries, a Spanish company that advertises a spyware and data collection service targeting Windows, macOS and Android, to obtain information public.
Elsewhere, the social media giant took action on networks in China, Myanmar and Ukraine exhibiting coordinated inauthentic behavior (CIB) by removing more than 2,000 accounts, pages and groups from Facebook and Instagram.
While the Chinese cluster targeted U.S. audiences with content related to criticism of U.S. foreign policy toward Taiwan and Israel and its support for Ukraine, the original Myanmar network targeted its own residents with original articles praising the the Burmese army and denigrated ethnic armed organizations and minority groups.
The third group is notable for using fake pages and groups to post content supporting Ukrainian politician Viktor Razvadovskyi, while also sharing “supportive comments about the current government and critical comments about the opposition” in Kazakhstan.
The development comes as a coalition of government and technology companies, including Meta, signed an agreement to curb the abuse of commercial spyware to commit human rights abuses.
As countermeasures, the company has introduced new features such as enabling Control Flow Integrity (CFI) on Messenger for Android and VoIP memory isolation for WhatsApp, in an effort to make exploitation more difficult and reduce the overall attack surface .
That said, the surveillance industry continues to thrive in myriad unexpected forms. Last month, 404 Media, building on previous research conducted by the Irish Council for Civil Liberties (ICCL) in November 2023, exposed a surveillance tool called Patternz which leverages real-time bidding (RTB) advertising data collected by popular apps like 9gag, Truecaller, and Kik to track mobile devices.
“Patternz enables national security agencies to use historical and real-time data generated by user advertising to detect, monitor and predict user actions, security threats and anomalies based on user behavior, location patterns and mobile usage features, ISA, the Israeli company behind the product claimed on its website.
Then last week, Aeneas revealed a previously unknown mobile network attack known as MMS Fingerprint that was alleged to have been used by Pegasus maker NSO Group. This information was included in a 2015 contract between the company and the Ghana Telecommunications Regulatory Authority.
While the exact method used remains a mystery, the Swedish telecommunications security firm suspects that it likely involves the use of MM1_notification.REQ, a special type of SMS message called a binary SMS that notifies the recipient device of an MMS awaiting retrieval from the Multimedia Messaging Service Center (MMSC).
The MMS is then retrieved via MM1_retrieve.REQ and MM1_retrieve.RES, the former being an HTTP GET request to the URL address contained in the MM1_notification.REQ message.
What is noteworthy in this approach is that information about the user’s device such as User-Agent (other than a web browser User-Agent string) and x-wap profile are embedded in the GET request, thus acting as a sort of fingerprint.
“The (MMS) User-Agent is a string that typically identifies the operating system and device,” Enea said. “x-wap-profile points to a UAProf (User Agent Profile) file that describes the capabilities of a mobile phone.”
A threat actor seeking to distribute spyware could use this information to exploit specific vulnerabilities, tailor their malicious payloads to the target device, or even create more effective phishing campaigns. That said, there is no evidence that this security flaw has been exploited wildly in recent months.