A week after it became clear that sophisticated mobile spyware called Hermit had been used by the Kazakh government within its borders, Google said it had notified Android users of infected devices.
In addition, the necessary changes have been made to Google Play Protect – Android’s built-in malware protection service – to protect all users, Benoit Sevens and Google Threat Analysis Group (TAG) Clement Lesin said in a report on Thursday.
Hermit, the work of an Italian provider called RCS Lab, was documented by Lookout last week, highlighting its modular feature set and its ability to gather sensitive information such as call logs, contacts, photos, exact location and SMS messages.
Once the threat has fully penetrated the device, it is also equipped to record audio and make and redirect phone calls, in addition to abusing its Android accessibility service permissions to monitor various foreground applications used by the victims.
Its modularity also allows it to be fully customized by equipping spyware functionality to be expanded or modified as desired. It is not clear who was targeted in the campaign or which of RCS Lab’s customers were involved.
The Milan-based company, which has been operating since 1993, says it has been providing law enforcement agencies around the world with cutting-edge technological solutions and technical support in the field of legal interception for more than twenty years. It is said that more than 10,000 captured targets are processed daily in Europe alone.
“The hermit is another example of the use of digital weapons to target civilians and their mobile devices, and the data collected by the participating malicious countries will certainly be invaluable,” said Richard Melik, director of threat reporting for Zimperium.
Target phones are infected with the spyware tool by downloading via drive-by as initial vectors of infection, which in turn involves sending a unique link in an SMS message, which activates the attack chain when clicked.
It is alleged that the actors worked in collaboration with Internet Service Providers (ISPs) on targets to deactivate their mobile data connection, followed by sending an SMS urging recipients to install an application to restore access to mobile data.
“We believe that’s why most apps disguise themselves as mobile apps,” the researchers said. “When ISP participation is not possible, applications are disguised as messaging applications.”
To compromise iOS users, the adversary relied on providing profiles that allow fake branded apps to be loaded from the side of the devices without having to be available in the App Store.
Analysis of the iOS version of the application shows that it uses up to six exploits – CVE-2018-4344, CVE-2019-8605, CVE-2020-3837, CVE-2020-9907, CVE-2021-30883 and CVE-2021-30983 – to filter files of interest, such as WhatsApp databases, from the device.
“As the curve slowly shifts to more expensive exploitation of memory corruption, attackers are likely to shift as well,” said Ian Beer of Google Project Zero in an in-depth analysis of an iOS artifact presented for the My Vodafone app.
In Android, drive-by control attacks require victims to activate a setup to install third-party apps from unknown sources, leading to a fraudulent app disguised as smartphone brands like Samsung, requiring extensive permissions to achieve their malicious targets.
The Android variant, in addition to trying to root the valid access device, is also connected in different ways, because instead of combining exploits in the APK file, it contains functionality that allows it to extract and execute arbitrary remote components that can communicate with the main application.
“This campaign is a good reminder that attackers do not always use exploits to get the solutions they need,” the researchers said. “The main vectors of infection and drive through downloads are still working and can be very effective with the help of local ISPs.”
Saying that seven of the nine zero-day exploits it discovered in 2021 were developed by commercial vendors and sold to and used by government-backed players, the technology giant said it was tracking more than 30 vendors with varying levels of complexity known to trade exploits and surveillance capabilities.
Moreover, Google TAG expressed concern that vendors such as RCS Lab were “secretly collecting zero-day vulnerabilities” and warned that this posed serious risks, given that a number of spyware vendors had been compromised over the past decade, ” raising the specter that their stocks may be released to the public without warning. “
“Our findings underscore the extent to which trade surveillance providers have increased the capabilities used in the past only by governments with the technical expertise to develop and operate exploits,” TAG said.
“While the use of surveillance technology may be legal under national or international law, it is often found that it is used by governments for purposes contrary to democratic values: against dissidents, journalists, human rights workers and opposition politicians. party.
Update: When asked for comment, RCS Lab said that its “core business is the design, manufacture and implementation of software platforms designed for lawful interception, forensic intelligence and data analysis” and that it helps law enforcement to prevent and investigate serious crimes such as acts of terrorism, drug trafficking, organized crime, child abuse and corruption.
Here is the rest of the unassigned statement –
RCS Lab exports its products in accordance with national and European rules and regulations. Any sale or introduction of products shall take place only after obtaining official authorization from the competent authorities. Our products are delivered and installed on the premises of approved customers. The staff of RCS Lab is not exposed and does not participate in any activities carried out by the respective clients. RCS Lab strongly condemns any misuse or misuse of its products, which are designed and manufactured with the intention of supporting the legal system in preventing and combating crime.
Add Comment