According to research from Google’s Threat Analysis Group (TAG), a sophisticated spyware operation uses internet service providers (ISPs) to deceive people into downloading harmful programs. This supports prior discoveries made by security research company Lookout, which connected the spyware, known as Hermit, to Italian spyware maker RCS Labs.
According to Lookout, RCS Labs sells commercial spyware to numerous government agencies and operates in the same industry as the infamous surveillance-for-hire firm NSO Group, which developed the Pegasus spyware. According to researchers at Lookout, Hermit has reportedly already been used by the governments of Italy and Kazakhstan. Google said it would notify affected users after identifying victims in both nations in line with these results.
According to the research from Lookout, Hermit is a modular threat that can download new capabilities from a command and control (C2) server. As a result, the spyware can access the call logs, location, pictures, and text messages stored on a victim’s device. In addition, Hermit can root an Android smartphone, which provides it complete access to the core operating system and records audio, makes, and intercept phone calls.
By posing as a trusted source, usually a mobile carrier or messaging app, the spyware can spread to both Android and iPhone devices. Google discovered that some attackers collaborated with ISPs to disable a victim’s mobile data to progress their plan. The malicious program download would lead consumers to believe that their internet connectivity will be restored, tricking the bad guys into posing as the victim’s mobile carrier over SMS.
In the event that attackers could not cooperate with an ISP, according to Google, they pretended to be genuine-looking messaging apps and tricked users into downloading them.
According to researchers from Lookout and TAG, Hermit-containing apps were never made available through the Google Play or Apple App Store. By signing up for Apple’s Developer Enterprise Program, attackers were able to spread malicious programs on iOS.
With the help of a certificate that “satisfies all of the iOS code signing requirements on any iOS devices,” malicious actors could go around the App Store’s standard verification process.
According to Apple, any accounts or certificates connected to the threat have subsequently been revoked. Google has deployed a Google Play Protect upgrade to all users and informed those affected.
For our team’s latest technological insights and news, visit – News insights and technology updates