Google says attackers worked with ISPs to deploy Hermit spyware on Android and iOS

Researchers found affected users in Italy and Kazakhstan

Google is warning Android and iOS users about a sophisticated spyware that is getting the help from Internet Service Providers (ISPs) in attacking its targets. According to a recent report by Google’ Threat Analysis Group (TAG) RCS Labs, which works in the same domain as the NSO Group, the group behind the infamous Pegasus spyware, is using a spyware called Hermit to target mobile users on both iOS and Android in Italy and Kazakhstan. Also Read – iPhone hacks: How to use Chrome passwords to sign in to apps on your Apple iPhone

A sophisticated spyware campaign is getting the help of internet service providers (ISPs) to trick users into downloading malicious apps, according to research published by Google’s Threat Analysis Group  This corroborates earlier findings from security research group Lookout, which has linked the spyware, dubbed Hermit, to Italian spyware vendor RCS Labs.

 

What is Hermit spyware

Researchers at Lookout said that Hermit is a ‘modular surveillance-ware that hides its malicious capabilities in packages downloaded after it’s deployed.’ What makes it dangerous is the fact that this spyware can not only record audio but also make and redirect phone calls, as well as collect data such as call logs, contacts, photos, device location and SMS messages on the targeted smartphone. Also Read – Chrome on iOS gets new features: Google Password Manager, Chrome Actions and more

how does the Hermit spyware work?

Researchers further explained that that the spyware is distributed via SMS messages pretending to come from a legitimate source. In the samples that the researchers have analysed, the spyware impersonated the applications of telecom companies or smartphone manufacturers. “Hermit tricks users by serving up the legitimate webpages of the brands it impersonates as it kickstarts malicious activities in the background,”

To maintain its cover, the Hermit spyware loads and displays the website from the impersonated company simultaneously as malicious activities kickstart in the background. This spyware is smart. First, it checks if the device it is targeting is exploitable. “If the device is confirmed to be exploitable then it will communicate with the C2 to acquire the files necessary to exploit the device and start its root service. This service will then be used to enable elevated device privileges such as access to accessibility services, notification content, package use state and the ability to ignore battery optimization,” the researchers added.

Google’s TAG said all the attacks it observed originated with a unique link sent to the target. Once clicked, the page attempted to get the user to download and install a malicious application on either Android or iOS. “In some cases, we believe the actors worked with the target’s ISP to disable the target’s mobile data connectivity,” TAG wrote in a blog post adding that once disabled.

“We believe this is the reason why most of the applications masqueraded as mobile carrier applications. When ISP involvement is not possible, applications are masqueraded as messaging applications,” it added.

The group also notes while the malware wasn’t available on the Google Play Store, on iOS it was distributed via Apple’s Developer Enterprise Program. “These apps still run inside the iOS app sandbox and are subject to the exact same technical privacy and security enforcement mechanisms (e.g. code side loading) as any App Store apps. They can, however, be sideloaded on any device and don’t need to be installed via the App Store. We do not believe the apps were ever available on the App Store,”

“Enterprise certificates are meant only for internal use by a company, and are not intended for general app distribution, as they can be used to circumvent App Store and iOS protections,” the Cupertino-based company said in an October report about sideloading. “Despite the program’s tight controls and limited scale, bad actors have found unauthorized ways of accessing it, for instance by purchasing enterprise certificates on the black market.”

Google

An analysis of the iOS version of the app shows that it leverages as many as six exploits — CVE-2018-4344, CVE-2019-8605, CVE-2020-3837, CVE-2020-9907, CVE-2021-30883, and CVE-2021-30983 — to exfiltrate files of interest, such as WhatsApp databases, from the device.

How can I protect myself from this spyware?

Google on its part has warned all Android victims. It has also implemented changes in Google Play Protect and disabled Firebase projects used as C2 in this campaign.

Android and iOS users, on their part can download the latest version of mobile OS on their smartphones. Additionally, smartphone users should avoid downloading unknown apps or clicking on links from unknown sources.

Recommended For You

About the Author: Cryptus Team

CRYPTUS CYBER SECURITY is an Cyber Security Training and penetration testing Company in New Delhi, India. We have been delivering advance it security training and services with upgraded technology contents to IT Professionals. Our goal is to sustain performance level producing sterling results. We Stands Up to our commitments which are comiitted by Our Team.

Leave a Reply

Your email address will not be published.