According to Google, attackers worked with ISPs to deploy Hermit spyware on Android and iOS

According to Google, attackers worked with ISPs to deploy Hermit spyware on Android and iOS
Written by admin

A sophisticated spyware campaign enlists the help of internet service providers (ISPs) to trick users into downloading malicious apps Research published by Google’s Threat Analysis Group (DAY) (about TechCrunch). This confirmed earlier Findings from the security research group Lookoutwhich linked the spyware called Hermit to the Italian spyware vendor RCS Labs.

According to Lookout, RCS Labs works in the same industry as NSO Group — the notorious surveillance company behind the Pegasus spyware – and sells commercial spyware to various government agencies. Lookout researchers believe Hermit has already been used by the government of Kazakhstan and Italian authorities. Consistent with these findings, Google has identified victims in both countries and says it will notify affected users.

As described in the Lookout report, Hermit is a modular threat that can download additional functionality from a command and control (C2) server. This allows the spyware to access the call records, location, photos, and text messages on a victim’s device. Hermit is also capable of recording audio, making and intercepting phone calls, and rooting an Android device, giving it full control of its core operating system.

The spyware can infect both Android and iPhones by disguising itself as a legitimate source, typically taking the form of a cell phone provider or messaging app. Google’s cybersecurity researchers found that some attackers actually worked with ISPs to turn off a victim’s mobile data to further their scheme. Evil actors would then pose as a victim’s cell phone provider via SMS, tricking users into believing that a malicious app download would restore their internet connection. According to Google, when attackers were unable to work with an ISP, they posed as seemingly authentic messaging apps that they tricked users into downloading.

Researchers from Lookout and TAG say apps featuring Hermit were never made available through Google Play or the Apple App Store. However, attackers were able to distribute infected apps to iOS by enrolling in Apple’s Developer Enterprise Program. This allowed attackers to bypass the App Store’s standard verification process and obtain a certificate that “meets all iOS code signing requirements on all iOS devices.”

Apple tells The edge that it has since revoked any accounts or certificates associated with the threat. In addition to notifying affected users, Google has rolled out a Google Play Protect update to all users.

About the author


Leave a Comment