A sophisticated spyware campaign is receiving help from Internet service providers (ISPs) to trick users into downloading malicious applications, according to research published by the Google Threat Analysis Group (TAG) (via of TechCrunch). This corroborates the previous findings of the security research group Lookout, which has linked the spyware, called Hermit, with the Italian spyware provider RCS Labs.
Lookout says RCS Labs is in the same line of work as NSO Group, the infamous rental surveillance company behind Pegasus spyware, and distributes commercial spyware to various government agencies. Lookout investigators believe Hermit has already been deployed by the Kazakhstan government and Italian authorities. According to these findings, Google has identified victims in both countries and says it will notify affected users.
As described in the Lookout report, Hermit is a modular threat that can download additional capabilities from a command and control server (C2). This allows the spyware to access call logs, location, photos, and text messages on the victim’s device. Hermit can also record audio, make and intercept phone calls, as well as root an Android device, giving you full control over your basic operating system.
Apps containing Hermit were never made available through Google Play or the Apple App Store
Spyware can infect both Android and iPhones by disguising itself as a legitimate source, usually in the form of a cell phone carrier or messaging app. Google’s cybersecurity researchers found that some attackers were working with ISPs to turn off a victim’s mobile data to improve their scheme. The malicious actors then impersonate a victim’s mobile operator by texting and trick users into believing that a download of malicious apps will restore their Internet connectivity. If attackers couldn’t work with an ISP, Google says they were raised as seemingly genuine messaging apps that tricked users into downloading them.
Lookout and TAG researchers say apps containing Hermit were never made available through Google Play or the Apple App Store. However, attackers were able to distribute infected apps to iOS by registering with Apple’s Developer Enterprise program. This allowed bad actors to bypass the standard App Store verification process and obtain a certificate that “meets all iOS code signing requirements on any iOS device.”
Apple told The Verge that it has since revoked any account or certificate associated with the threat. In addition to notifying affected users, Google has also sent a Google Play Protect update to all users.