A sophisticated spyware campaign is being helped by Internet Service Providers (ISPs) to trick users into downloading malicious apps, according to research published by the Google Threat Analysis Group (LABEL) (via TechCrunch). This confirms earlier findings of security research group Lookoutwhich has linked the spyware, called Hermit, with the Italian spyware provider RCS Labs.
Lookout says that RCS Labs is in the same line of work as NSO Group: the infamous contract surveillance company behind Pegasus spyware – and sells commercial spyware to various government agencies. Lookout researchers believe that Hermit has already been deployed by the Kazakh government and Italian authorities. Based on these findings, Google has identified victims in both countries and says it will notify affected users.
As described in the Lookout report, Hermit is a modular threat that can download additional capabilities from a command and control (C2) server. This allows the spyware to access call logs, location, photos, and text messages on the victim’s device. Hermit can also record audio, make and intercept phone calls, as well as root an Android device, giving you full control over its core operating system.
Spyware can infect both Android and iPhone by disguising itself as a legitimate source, usually taking the form of a mobile carrier or messaging app. Google cybersecurity researchers found that some attackers actually worked with ISPs to take a victim’s mobile data offline to further their scheme. Bad actors would impersonate the victim’s mobile carrier via SMS and trick users into believing that downloading a malicious app will restore their internet connectivity. If the attackers failed to work with an ISP, Google says they posed as authentic-looking messaging apps that tricked users into downloading them.
Researchers from Lookout and TAG say that apps containing Hermit were never available through Google Play or the Apple App Store. However, the attackers were able to distribute infected apps on iOS by enrolling in Apple’s Developer Enterprise program. This allowed bad actors to bypass the App Store’s standard vetting process and obtain a certificate that “satisfies all iOS code signing requirements on any iOS device.”
apple said the edge which has since revoked any accounts or certificates associated with the threat. In addition to notifying affected users, Google has also pushed out an update to Google Play Protect to all users.
