According to research published by Google’s Threat Analysis Group (TAG), a sophisticated spyware campaign is tricking users into downloading malicious applications with the help of Internet Service Providers (ISPs) (via TechCrunch). This corroborates earlier findings by security research group Lookout, which linked the spyware called Hermit to Italian spyware vendor RCS Labs.
Lookout said RCS Labs worked in the same line of business as NSO Group, the notorious for-hire surveillance company behind Pegasus spyware, and peddled commercial spyware to various government agencies. Lookout researchers believe that Hermit has been deployed by the Kazakh government and Italian authorities. Based on these findings, Google has identified victims in both countries and said it will notify affected users.
As described in the Lookout report, Hermit is a modular threat that can download additional capabilities from a command and control (C2) server. This allows the spyware to access call logs, locations, photos and text messages on the victim’s device. Hermit is also capable of recording audio, making and intercepting calls, and rooting Android devices, which gives it complete control over its core operating system.
Spyware can infect Androids and iPhones by posing as legitimate sources, usually in the form of mobile carriers or messaging apps. Google’s cybersecurity researchers have found that some attackers actually work with ISPs to shut down victims’ mobile data to advance their schemes. Bad actors then impersonate the victim’s mobile carrier via SMS and trick users into believing that the malicious app download will restore their internet connection. If attackers can’t work with ISPs, Google says they’ll masquerade as authentic-looking messaging apps and trick users into downloading.
Researchers at Lookout and TAG said no app containing Hermit was ever made available through Google Play or the Apple App Store. However, attackers can distribute infected apps on iOS by enrolling in Apple’s Developer Enterprise Program. This allows bad actors to bypass the App Store’s standard review process and obtain a certificate that “meets all iOS code signing requirements on any iOS device.”
apple told edge It has revoked any accounts or credentials associated with the threat. In addition to notifying affected users, Google has also pushed the Google Play Protect update to all users.