According to research published by Google’s Threat Analysis Group (TAG), a sophisticated spyware operation is enlisting the assistance of internet service providers (ISPs) to fool consumers into downloading dangerous programs (via TechCrunch). This backs up previous discoveries by security research firm Lookout, which linked the spyware, Hermit, to Italian spyware maker RCS Labs.
According to Lookout, RCS Labs works in the same industry as NSO Group, the controversial surveillance-for-hire firm behind the Pegasus spyware, and sells commercial spyware to various government agencies. Lookout researchers believe Hermit has already been employed by the Kazakhstani government and the Italian police. By these findings, Google has identified victims in both countries and has stated that affected users will be notified.
Hermit is a modular threat that may download extra capabilities via a command and control (C2) server, according to Lookout’s assessment. This allows the spyware to access a victim’s call history, location, photographs, and text messages. Hermit can also record audio, make and intercept phone calls, and root an Android smartphone, giving it complete control over its entire operating system.
The virus can infect both Android and iPhones by masquerading as a genuine source, such as a mobile provider or messaging app. Google’s cyber security researchers discovered that some attackers collaborated with ISPs to turn off a victim’s mobile data to progress their scam. Bad actors would then send SMS messages posing as a victim’s mobile carrier, leading consumers to believe that downloading a malicious program would restore their internet connectivity. If the attackers were unable to collaborate with an ISP, Google claims they pretended to be legitimate chat apps and tricked consumers into downloading them.
Lookout and TAG researchers claim that apps including Hermit were never made accessible through the Google Play or Apple App Store. However, by registering in Apple’s Developer Enterprise Program, attackers could distribute malicious programmers programs enabling malicious actors to circumvent the App Store’s usual screening process and obtain a certificate that “satisfies all of the iOS code signing criteria on any iOS device.”
According to The Verge, Apple has since terminated any accounts or certificates linked to the danger. Google has notified affected users and distributed a Google Play Protect update to all users.