Google claims that attackers have worked with ISPs to use Hermit spyware on Android and iOS
The sophisticated spyware campaign gets the help of Internet service providers (ISPs) to trick users into downloading malicious applications, according to a study published by Google’s Threat Analysis Group (TAG) (via TechCrunch). This confirms previous findings from the Lookout security research team, which linked the spy, named Hermit, and Italian spyware vendor RCS Labs.
Lookout says RCS Labs is in the same line of business as the NSO Group – a notoriously behind-the-scenes monitoring company for Pegasus spyware – and sells commercial spies to various government agencies. Researchers at Lookout believe that Hermit has already been used by the Kazakh government and Italian authorities. In line with these findings, Google has identified victims in both countries and says it will notify affected users.
As described in the Lookout report, Hermit is a modular threat that can download additional capabilities from the command and control server (C2). This allows spyware to access call records, location, photos, and text messages on the victim’s device. Hermit is also capable of recording audio, making and closing calls, and rooting on an Android device, giving it full control over its contextual operating system.
Spyware can infiltrate both Android and iPhone by pretending to be a legitimate source, usually taking the form of a network company or messaging app. Google’s cybersecurity researchers have found that some attackers have actually worked with ISPs to erase the victim’s cell phone data in order to advance their system. Evil actors will then pretend to be the victim’s mobile company via SMS and trick users into believing that downloading a malicious app will restore their internet connection. If the attackers failed to work with the ISP, Google claims to have identified them as virtual messaging apps that tricked users into downloading them.
Researchers from Lookout and TAG say apps containing Hermit have never been made available through Google Play or the Apple App Store. However, attackers have been able to distribute infected apps on iOS by subscribing to Apple’s Developer Enterprise Program. This allowed malicious characters to go through the App Store standard test process and obtain a certificate that “satisfies all iOS code signing requirements on any iOS devices.”
Apple told The Verge that it has since revoked any accounts or certificates related to the threat. In addition to notifying affected users, Google has also pushed for a Google Play Protect update for all users.