A sophisticated spyware campaign is getting the help of Internet Service Providers (ISPs) to trick users into downloading malicious apps, according to research published by Google’s Threat Analysis Group (TAG) (via TechCrunch). This corroborates earlier findings by security research group Lookout, which linked the spyware, locate Hermit spyware, to Italian spyware vendor RCS Labs.
Lookout says RCS Labs is in the same vein as NSO Group, the infamous contract surveillance company behind Pegasus spyware, and sells commercial spyware to various government agencies. Lookout researchers believe that Hermit has already been deployed by the Kazakh government and Italian authorities. Based on these findings, Google has identified victims in both countries and says it will notify affected users.
As described in the Lookout report, Hermit is a modular threat that can download additional capabilities from a command and control (C2) server. This allows the spyware to access call logs, location, photos, and text messages on the victim’s device. Hermit can also record audio, make and intercept phone calls, as well as root an Android device, giving you full control over its core operating system.
APPS CONTAINING ERMIT WERE NEVER AVAILABLE THROUGH GOOGLE PLAY OR APPLE APP STORE
Spyware can infect both Android and iPhone by disguising itself as a legitimate source, usually taking the form of a mobile carrier or messaging app. Google cybersecurity researchers found that some attackers actually worked with ISPs to locate Hermit spyware and to turn off a victim’s mobile data to further their scheme. Bad actors would impersonate the victim’s mobile carrier via SMS and trick users into believing that downloading a malicious app will restore their Internet connectivity. If the attackers failed to work with an ISP, Google says they posed as authentic-looking messaging apps that tricked users into downloading them.
Researchers from Lookout and TAG say that apps containing Hermit were never available through Google Play or the Apple App Store. However, the attackers were able to distribute infected apps on iOS by enrolling in Apple’s Developer Enterprise program. This allowed criminals to bypass the App Store’s standard vetting process and obtain a certificate that “satisfies all iOS code signing requirements on any iOS device.”
Apple told The Verge that it has since revoked any accounts or certificates associated with the threat. In addition to notifying affected users, Google has also pushed out an update to Google Play Protect to all users.