Milan-based RCS Lab, whose website lists European law enforcement agencies as clients, has developed tools to spy on the target devices’ private messages and contacts, the report said.
European and American regulators have been considering potential new rules for the sale and import of spyware.
“These vendors enable the proliferation of dangerous hacking tools and arm governments that could not develop these skills in-house,” Google said.
The governments of Italy and Kazakhstan did not immediately respond to requests for comment. An Apple spokesman said the company had revoked all known accounts and certificates related to this hacking campaign.
RCS Lab said its products and services comply with European regulations and help law enforcement investigate crimes.
Discover the stories of your interest
“RCS Lab personnel are not exposed nor participate in activities conducted by the relevant customers,” it told Reuters in an email, adding it condemned any misuse of its products.
Google said it took steps to protect users of its Android operating system and warned them about the spyware.
The global industry that produces spyware for governments has grown, and more and more companies are developing eavesdropping tools for law enforcement. Anti-surveillance activists accuse them of supporting governments, which in some cases use such tools to crack down on human and civil rights.
The industry has come under the global spotlight in recent years when it was found that Israeli surveillance firm NSO’s Pegasus spyware was being used by several governments to spy on journalists, activists and dissidents.
While RCS Lab’s tool isn’t as stealthy as Pegasus, it can still read messages and view passwords, said Bill Marczak, a security researcher at Digital Watchdog Citizen Lab.
“This shows that while these devices are ubiquitous, there is still a long way to go to protect them against these powerful attacks,” he added.
On its website, RCS Lab describes itself as a manufacturer of “lawful wiretapping” technologies and services, including voice, data collection, and “tracking” systems. It says it handles 10,000 targets intercepted daily in Europe alone.
Google researchers found that RCS Lab had previously worked with the controversial, defunct Italian spy firm Hacking Team, which had also developed surveillance software for foreign governments to tap into phones and computers.
Hacking Team went bankrupt after falling victim to a major hack in 2015 that exposed numerous internal documents.
In some cases, Google believed hackers using RCS spyware were working with the target’s ISP, suggesting they had ties to state-backed actors, said Billy Leonard, a senior researcher at Google.