Google's Threat Analysis Group
Does it monitor and track for USA regime-backed spyware? Yes or no?
Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG). RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's …
What legal framework is okay with forcing a provider to do things in order to trick a mark into installing spyware on their phone?
One could imagine in any sane legal jurisdiction, any competent lawyer would reasonably argue that if they managed to get the user to install something that gave itself unfettered access to the phone, said access could just as easily be used to plant evidence. There's no longer any sort of assurance that the device has not been tampered with, because it very obviously has, which means that anything on it should be considered inadmissible.
Of course "sane legal jurisdiction" is the important part here...
Just like they could get help from different kind of people to bug a criminal? Locksmiths could help police to enter a house. A car repair may bug cars as well. A restaurant may allow microphone and cameras installed. Even kindergarten to catch teachers hurting children. Even intercepting deliveries could be allowed. ISPs may support sizing machines used by crooks and then used to "spy" on them.
How do you believe you can catch crooks? Especially some kind of crimes that like to lurk in the dark? Just waiting they deliver themselves at the local police office?
Of course if a court authorize such actions. The problem are laws like FISA that bypass court authorizations and parliament oversight.
"ould reasonably argue that if they managed to get the user to install something that gave itself unfettered access to the phone, said access could just as easily be used to plant evidence."
Sure. Then it's up to the investigators to support their evidences beyond any reasonable doubt.
I doubt the app prevented the host OS from grabbing all the data it usually grabs.
That might be an easy way onto devices belonging to slightly more tech-savvy users though: "Did you know Google records everything you do on Android and listens to you even when you're not using your phone? Download and install this app now to stop it!"
Would sound a tiny bit more convincing if Google weren't all about that shit themselves, eh?
You just needed to add a "Someone else" to the start of your byline and you'd've been good.
Bit confused as to whether this was being used as a law enforcement tool (as per the Italian usage description) or for nefarious means by a.n.other in eastern Europe ... sounds like a government installation which could be either use but the story seems to document an exploit method rather than a reason for exploitation. If it was used for "legitimate purposes" of law enforcement why is Google documenting it? If not, why are they not naming names and detailing reasons for the exploit?
A bug is a passive device. It records what it hears (or it reports its location, depending on what sort of bug).
There's a reason this sort of thing is supposed to be illegal and why no reputable judge would authorised it - evidence tampering. Spyware and phone hacking is not passive. It has the ability to read and transmit any file on the device. But it also has the capability of receiving files and writing them to the device.
If you enter a house or car to plant a bug you can also try to plant evidences. Even a passive tap may be used to "construct" evidences if using just part of the recordings. That's why everything can be challenged in courts.
As technology evolves and criminals take advantage of it, law enforcement have to build their counter-measures too. Of course their use must be strictly controlled.
Moreover, are you using cameras and mics to protect your house? You may illegally break the privacy of others...
> they are only getting the dumbest of the dumbest of victims
Actually, they are only getting the not-computer-savvy people, which apparently make up 99% of the population.
Please don't assume people on this website are anywhere representative of the general public's IT security knowledge and skills. (Expecting somebody to drop in to brag about his Pi-hole, any moment now...)
I don't assume that at all, and I strongly believe a large majority of smartphone users would be HIGHLY suspicious of instructions for downloading an app that are totally unlike the way they've downloaded every single other app on their phone. They would be wondering "why can't I just click on a link to take me to the App / Play Store?" or "why can't you just tell me the name and I'll search for it in the App / Play Store?" because that's how they've always installed new apps. People are generally very suspicious of having to do things different than the way they've always done them.
This is no different than being used to paying for stuff with cash, check or credit card and getting instructions to pay for something telling you to go to Walmart and buy a bunch of gift cards and emailing the codes to someone. Sure people do fall for scams where that happens, but only the dumbest of the dumbest (or unfortunately elderly and senile) fall for it.