At the University of Toronto, researchers at Citizen Lab, working with security firm Kaspersky, have revealed a widespread network of mobile surveillance malware marketed by an Italian company and reportedly used by law enforcement agencies worldwide.
The malware, known as Remote Control System (RCS), can infiltrate Android, iOS, Windows Mobile, Symbian, and BlackBerry devices. Although most mobile malware targets Android because of its market share, this discovery reinforces expert warnings that other platforms are also vulnerable.
The investigation uncovered 320 command-and-control (C&C) servers for RCS operating across more than 40 countries. Kaspersky mapped the IP addresses of these servers and found the largest number located in the United States (64). Other countries with significant counts included Kazakhstan (49), Ecuador (35), and the United Kingdom (32).
“The presence of these servers in a given country doesn’t necessarily mean they are used by that country’s law enforcement agencies,” said Sergey Golovanov, principal security researcher at Kaspersky Lab. “However, it is reasonable for RCS operators to deploy C&C servers in jurisdictions they control, where the risk of cross-border legal issues or server seizures is lower.”
On the developer’s website, the Italian company advertising RCS describes the product this way: “Remote Control System (RCS) is a solution designed to evade encryption by means of an agent directly installed on the device to monitor. Evidence collection on monitored devices is stealth and transmission of collected data from the device to the RCS server is encrypted and untraceable.”
Citizen Lab’s documents explain that RCS is typically delivered via spear-phishing or by exploiting operating system vulnerabilities. The vendor appears to concentrate on Android, but evidence suggests they can compromise Apple iOS on jailbroken devices. For non-jailbroken iPhones, an infected computer connected to the device can trigger a remote jailbreak and install the spyware.
Once RCS is installed on a target device, the software can intercept and record phone calls and SMS messages, capture chat conversations from apps such as Viber, WhatsApp and Skype, access files and photos stored on the handset, monitor calendar entries, determine the device’s location, and take screenshots on command. It can also extract data from third-party applications, including social media platforms.
The malware is engineered to operate stealthily, using anonymizing measures and techniques designed to leave minimal forensic traces, including methods to avoid detection through mobile data usage statistics. Beyond criminal investigations, Citizen Lab identified code samples indicating the system has been deployed against political targets in countries such as Saudi Arabia, Malaysia, Morocco, and Ethiopia.
This investigation highlights how advanced commercial surveillance tools can be repurposed for a wide range of targets and how their global infrastructure can span numerous jurisdictions. The findings underscore the importance of strong device security practices, careful management of mobile permissions, and continued scrutiny of commercial surveillance technology.
How do you feel about the exposed global malware network? Let us know in the comments.