Milan-based RCS Lab, whose website claims European law enforcement agencies as clients, has developed tools to spy on the private messages and contacts of targeted devices, according to the report.
“These vendors enable the proliferation of dangerous hacking tools and arm governments that may not be able to develop these capabilities internally,” Google said.
RCS Lab said its products and services comply with European rules and help law enforcement agencies investigate crimes.
“RCS Lab personnel are not exposed to or involved in any activity conducted by affected customers,” he told Reuters in an email, adding that he condemns any misuse of its products.
Google said it took steps to protect users of its Android operating system and alerted them to the spyware.
The global industry of manufacturing spyware for governments is growing, with more and more companies developing interception tools for law enforcement agencies. Anti-surveillance activists accuse them of aiding governments, which in some cases use such tools to suppress human and civil rights.
The industry was in the global spotlight when Israeli surveillance company NSO’s Pegasus spyware was used in recent years by several governments to spy on journalists, activists and dissidents.
While RCS Lab’s tool may not be as stealthy as Pegasus, it can still read messages and display passwords, said Citizen Lab security researcher Bill Marczak.
“It shows that even though these devices are ubiquitous, there is still a long way to go to secure them against these powerful attacks,” he added.
On its website, RCS Lab describes itself as a maker of “lawful interception” technologies and services, including voice, data collection, and “tracking systems.” He says he manages 10,000 intercepted targets daily in Europe alone.
Google researchers found that RCS Lab previously collaborated with the controversial and defunct Italian spy firm Hacking Team, which also created surveillance software that allowed foreign governments to exploit phones and computers.
Hacking Team went bankrupt after being the victim of a major hack in 2015 which led to the disclosure of numerous internal documents.
In some cases, Google said it believed hackers using RCS spyware were working with the target’s internet service provider, suggesting they had ties to government-backed actors, Billy said. Leonard, senior researcher at Google.