According to research published by Google’s Threat Analysis Group (TAG) (via TechCrunch† This confirms previous findings from security research group Lookout, which has linked the spyware, called Hermit, to Italian spyware vendor RCS Labs.
Lookout says RCS Labs is doing the same job as NSO Group — the infamous surveillance-for-hire company behind the Pegasus spyware — passing commercial spyware to various government agencies. Lookout investigators believe Hermit has already been deployed by the government of Kazakhstan and Italian authorities. In line with these findings, Google has identified victims in both countries and said it will notify affected users.
As described in Lookout’s report, Hermit is a modular threat that can download additional capabilities from a command and control (C2) server. This allows the spyware to access the call details, location, photos and text messages on a victim’s device. Hermit can also record audio, make and intercept phone calls, as well as root to an Android device, giving it full control over its core operating system.
The spyware can infect both Android and iPhones by disguising itself as a legitimate source, usually in the form of a mobile operator or messaging app. Google’s cybersecurity researchers found that some attackers were actually working with ISPs to disable a victim’s mobile data to further their plan. Bad actors would then impersonate a victim’s mobile carrier via SMS and trick users into believing that a malicious app download will restore their internet connection. If attackers couldn’t work with an ISP, Google said they were masquerading as seemingly authentic messaging apps that they tricked users into downloading.
Lookout and TAG researchers say that apps with Hermit have never been made available through Google Play or Apple App Store. However, attackers were able to spread infected apps on iOS by enrolling in Apple’s Developer Enterprise Program. This allowed attackers to bypass the standard App Store vetting process and obtain a certificate that “meets all iOS code signing requirements on any iOS device”.
Apple told The edge that it has since revoked any accounts or certificates associated with the threat. In addition to informing affected users, Google has also pushed a Google Play Protect update to all users.