Milan-based RCS Lab, whose website claims European law enforcement agencies as clients, has developed tools to spy on private messages and contacts from the targeted devices, the report said.
“These vendors are spreading dangerous hacking tools and arming governments that couldn’t develop these capabilities in-house,” Google said.
RCS Lab said its products and services comply with European regulations and help law enforcement agencies investigate crimes.
“The RCS Lab staff will not be exposed to or participate in activities conducted by the relevant customers,” it told Reuters in an email, adding that it condemned any misuse of its products.
Google said it had taken steps to protect users of its Android operating system and notified them of the spyware.
The global industry that makes spyware for governments is growing, and more and more companies are developing interception tools for law enforcement organizations. Anti-surveillance activists accuse them of helping governments that in some cases use such tools to tackle human and civil rights.
The industry came to the fore worldwide when Israeli surveillance company NSO’s Pegasus spyware was used by multiple governments in recent years to spy on journalists, activists and dissidents.
While RCS Lab’s tool may not be as unobtrusive as Pegasus, it can still read messages and view passwords, says Bill Marczak, a security researcher at digital watchdog Citizen Lab.
“This shows that while these devices are ubiquitous, there is still a long way to go to secure them against these powerful attacks,” he added.
On its website, RCS Lab describes itself as a maker of “legal interception” technologies and services, including voice, data collection and “tracking systems”. It says it handles 10,000 intercepted targets daily in Europe alone.
Google researchers found that RCS Lab had previously partnered with the controversial, defunct Italian spy company Hacking Team, which had similarly created surveillance software for foreign governments to wiretap phones and computers.
Hacking Team went bankrupt after it fell victim to a major hack in 2015 that led to the disclosure of numerous internal documents.
In some cases, Google said it believed hackers using RCS spyware were collaborating with the target’s Internet service provider, suggesting they had ties to government-backed actors, said Billy Leonard, a senior researcher at Google.