According to Google, attackers worked with ISPs to deploy Hermit spyware on Android and iOS

A sophisticated spyware campaign is getting the help of internet service providers (ISPs) to trick users into downloading malicious apps, according to a study published by Google’s Threat Analysis Group (TAG) (via TechCrunch). This confirms earlier findings by security research group Lookout, which linked the spyware called Hermit to Italian spyware vendor RCS Labs.

According to Lookout, RCS Labs works in the same industry as NSO Group — the notorious rental surveillance company behind the Pegasus spyware — and sells commercial spyware to various government agencies. Lookout researchers believe Hermit has already been used by the government of Kazakhstan and Italian authorities. Consistent with these findings, Google has identified victims in both countries and says it will notify affected users.

As described in the Lookout report, Hermit is a modular threat that can download additional functionality from a command and control (C2) server. This allows the spyware to access the call records, location, photos, and text messages on a victim’s device. Hermit is also able to record audio, make and intercept phone calls, and root an Android device, giving it full control of its core operating system.

The spyware can infect both Android and iPhones by disguising itself as a legitimate source, typically taking the form of a cell phone provider or messaging app. Google’s cybersecurity researchers found that some attackers actually worked with ISPs to turn off a victim’s mobile data to further their scheme. Evil actors would then pose as a victim’s cell phone provider via SMS and trick users into believing that a malicious app download would restore their internet connection. According to Google, when attackers were unable to work with an ISP, they posed as seemingly authentic messaging apps that they tricked users into downloading.

Researchers from Lookout and TAG say apps featuring Hermit were never made available through Google Play or the Apple App Store. However, attackers were able to distribute infected apps to iOS by enrolling in Apple’s Developer Enterprise Program. This allowed attackers to bypass the App Store’s standard verification process and obtain a certificate that “meets all iOS code signing requirements on all iOS devices.”

Apple tells The edge that it has since revoked any accounts or certificates associated with the threat. In addition to notifying affected users, Google has rolled out a Google Play Protect update to all users.

Leave a Reply

Your email address will not be published.