Hacking tools from an Italian company have been used to spy on Apple and Android smartphones in Italy and Kazakhstan, Alphabet’s Google said in a report Thursday.
Milan-based RCS Lab, whose website claims European law enforcement as clients, has developed tools to spy on private messages and contacts from targeted devices, the report said.
Google’s (GOOG) findings on RCS Lab come as European and American regulators evaluate potential new rules on the sale and import of spyware.
“These vendors are enabling the proliferation of dangerous hacking tools and arming governments that would not be able to develop these capabilities internally,” said Google.
Apple (AAPL) and the governments of Italy and Kazakhstan did not immediately respond to requests for comment.
RCS Lab said its products and services comply with European standards and help law enforcement investigate crimes.
“RCS Lab personnel are not exposed to, nor participate in, any activity conducted by affected customers,” he told Reuters in an email, adding that he condemned any abuse of its products.
Google said it has taken steps to protect users of its Android operating system and warned them of the spyware.
The global industry of spyware for governments is growing, with more and more companies developing eavesdropping tools for law enforcement. Anti-surveillance activists accuse them of helping governments which in some cases use such tools to crack down on human and civil rights.
The industry was in the global spotlight when it was discovered in recent years that Pegasus spyware from Israeli surveillance firm NSO has been used by multiple governments to spy on journalists, activists and dissidents.
While RCS Lab’s tool may not be as stealthy as Pegasus, it can still read messages and view passwords, said Bill Marczak, a security researcher with the Citizen Lab digital watchdog.
“This shows that even though these devices are ubiquitous, there is still a long way to go to protect them from these powerful attacks,” he added.
On its website, RCS Lab describes itself as a manufacturer of “legal interception” technologies and services including voice, data collection and “tracking systems”. It says it manages 10,000 targets intercepted every day in Europe alone.
Google researchers found that RCS Lab had previously partnered with the controversial and defunct Italian spy firm Hacking Team, which had similarly created surveillance software to allow foreign governments to tap into phones and computers.
Hacking Team went bankrupt after being the victim of a major hack in 2015 that led to the disclosure of numerous internal documents.
In some cases, Google said it believed hackers using RCS spyware were partnering with the target ISP, suggesting they had links with government-backed actors, said Billy Leonard, a senior researcher at Google.