Security Researchers at Lookout recently linked a previously unattributed Android mobile spyware called Hermit to Italian software house RCS Lab. Now, Google threat researchers have confirmed many of Lookout’s findings and are alerting Android users whose devices have been hacked by the spyware.
Hermit is a commercial spyware known to be used by governments, with victims in Kazakhstan and Italy, according to Lookout and Google. Lookout says it has also seen the spyware deployed in northern Syria. The spyware uses various modules, which it downloads from the command and control servers when needed, to collect call logs, record ambient noise, redirect phone calls, and retrieve photos, messages, emails, and the exact location of the device. collecting a victim’s device. Lookout said in its analysis that Hermit, which works on all Android versions, also tries to root an infected Android device, giving the spyware even deeper access to the victim’s data.
Lookout said that targeted victims receive a malicious link by text message and are tricked into downloading and installing the malicious app – which masquerades as a legitimate branded telco or messaging app – from outside the app store.
According to a new blog post published Thursday and shared with TechCrunch ahead of publication, Google said it had found evidence that in some cases, the government actors controlling the spyware were working with the target’s Internet service provider to extend their mobile data connection. disconnect, probably as a lure to trick the target into downloading a telco-themed app under the guise of restoring connectivity.
Google also analyzed an example of the Hermit spyware targeting iPhones, which Lookout previously said it couldn’t obtain. According to Google’s findings, the Hermit iOS app — which misuses Apple enterprise developer certificates to allow the spyware to be loaded onto a victim’s device from outside the app store — is packed with six different exploits, two of which are never seen before. exhibited vulnerabilities – or zero days – at the time of their discovery. One of the zero-day vulnerabilities was known to Apple as being actively exploited before it was fixed.
Neither the Android nor iOS versions of the Hermit spyware were found in the app stores, according to both companies. Google said it has “notified Android users about infected devices” and updated Google Play Protect, the app security scanner built into Android, to prevent the app from running. Google said it also pulled the plug on the spyware’s Firebase account, which the spyware used to communicate with its servers.
Google did not say how many Android users it notified.
Apple spokesman Trevor Kincaid told TechCrunch that Apple has revoked all known accounts and certificates associated with this spyware campaign.
Hermit is the latest government-grade spyware known to be deployed by government agencies. While it is unknown who is being targeted by governments using Hermit, similar mobile spyware developed by hacking-for-hire companies, such as NSO Group and Candiru, has been linked to the surveillance of journalists, activists and human rights defenders.
When reached for comment, RCS Lab issued an unattributed statement, which read in part: “RCS Lab exports its products in accordance with both national and European laws and regulations. Any sale or implementation of products will only be made upon receipt of an official authorization from the competent authorities. Our products are supplied and installed in the premises of approved customers. RCS Lab personnel are not exposed to and do not participate in activities performed by the relevant customers.”
You can contact this reporter by email via Signal and WhatsApp at +1 646-755-8849 or firstname.lastname@example.org.