An enhanced spyware campaign is getting help from Internet Service Providers (ISPs) to trick users into downloading malicious applications, according to a study published by Google’s Threat Analysis Group (TAG) (via TechCrunch). This confirms the earlier findings of the Lookout security research team, which links spyware called Hermit to Italian spyware provider RCS Labs.
Lookout says RCS Labs is in the same field as NSO Group – the infamous Pegasus spyware hire monitoring company – and sells commercial spyware to various government agencies. Researchers from Lookout believe that Hermit has already been deployed by the government of Kazakhstan and the Italian authorities. In line with these findings, Google identifies victims in both countries and says it will notify affected users.
As described in the Lookout report, Hermit is a modular threat that can download additional capabilities from a command and control server (C2). This allows spyware to access the call records, location, photos, and text messages on the victim’s device. Hermit can also record audio, make and intercept phone calls, and root an Android device, giving it full control of its main operating system.
Apps containing Hermit have never been available through Google Play or the Apple App Store
Spyware can infect both Android and iPhone by disguising itself as a legitimate source, usually in the form of a mobile carrier or messaging app. Google’s cybersecurity researchers found that some attackers actually worked with ISPs to turn off the victim’s mobile data to continue their scheme. The bad actors will then present themselves as the victim’s mobile operator via SMS and will trick users into believing that downloading a malicious application will reconnect them to the Internet. If the attackers failed to work with an ISP, Google says they were posing as seemingly authentic messaging apps that tricked users into downloading.
Researchers from Lookout and TAG say apps containing Hermit have never been available through Google Play or the Apple App Store. However, the attackers were able to distribute infected iOS apps by signing up for Apple’s Developer Enterprise program. This allowed bad entrants to bypass the standard App Store verification process and obtain a certificate that “meets all the requirements to sign an iOS code on any iOS device.”
Apple told The Verge that it has since revoked any accounts or certificates associated with the threat. In addition to notifying affected users, Google also sent an update to Google Play Protect for all users.
Add Comment