RCS, also known as RCS Lab or ETM Sicurezza, is an italian information technology , part of the Cy4Gate group along with Tykelab.
Founded in 1992, RCS main focus is mobile device spyware.
As early as 2012, RCS was a reseller of Hacking Team’s surveillance software to various problematic governments like Turkmenistan, Pakistan, Bangladesh, and Vietnam.[1]
In 2022, Google’s Threat Analysis Group (TAG) discovered the “Hermit” spyware made by RCS.
The spyware was hosted on unique links sent to the victim via SMS while the ISP, in accordance with RCS, disabled data connectivity of the victim.
The iOS spyware was signed through the Apple Developer Enterprise program, and contained a number of publicly available exploits (CVE-2018-4344, CVE-2019-8605, CVE-2020-3837, and CVE-2020-9907) and 0-day exploits (CVE-2021-30883, and CVE-2021-30983).[2]
The Android version required the victim to enable installation of applications from unknown sources, and didn’t contained any 0-days out-of-the-box but the code contained hints about such capabilities.[3][4]
The “Hermit” spyware was deployed in Kazakhstan and Syria, both countries with poor human rights records, and Italy.[5]
In 2024, Meta and Google released a report on RCS[6][7]. In the report they describe RCS’s spyware and methodology, showing that RCS operated a network of disinformation accounts on Facebook and Instagram operated from Italy, Kazakhstan and Mongolia. The network included social engineering and phishing attempts using fictitious personas posed as protestors, journalists and young women to trick people into sharing their emails and phone numbers, as well as clicking on malicious links.
Meta also found that RCS Labs and its customers embed canary tokens in Word documents that were disguised as news articles or anti-government petitions, in order to track who opened and shared such files. According to Meta, such documents targeted journalists, activists and dissidents in Azerbaijan, Kazakhstan and Mongolia.
This company is also listed on Surveillance Watch.
