Freedom

Google believes that attackers used help from Internet Service Providers to target Android and iOS users in Italy and Kazakhstan.

By Shweta Ganjoo

Google is warning Android and iOS users about a sophisticated spyware that is getting the help from Internet Service Providers (ISPs) in attacking its targets. According to a recent report by Google’ Threat Analysis Group (TAG) RCS Labs, which works in the same domain as the NSO Group, the group behind the infamous Pegasus spyware, is using a spyware called Hermit to target mobile users on both iOS and Android in Italy and Kazakhstan. 

This report corroborates with the report of the security research group, Lookout, that linked the spyware dubbed as Hermit with the RCS Labs. 

What is Hermit spyware

Researchers at Lookout said that Hermit is a ‘modular surveillance-ware that hides its malicious capabilities in packages downloaded after it’s deployed.’ What makes it dangerous is the fact that this spyware can not only record audio but also make and redirect phone calls, as well as collect data such as call logs, contacts, photos, device location and SMS messages on the targeted smartphone. 

how does the Hermit spyware work?

Researchers further explained that that the spyware is distributed via SMS messages pretending to come from a legitimate source. In the samples that the researchers have analysed, the spyware impersonated the applications of telecom companies or smartphone manufacturers. “Hermit tricks users by serving up the legitimate webpages of the brands it impersonates as it kickstarts malicious activities in the background,” Lookout researchers wrote in a blog post.

To maintain its cover, the Hermit spyware loads and displays the website from the impersonated company simultaneously as malicious activities kickstart in the background. This spyware is smart. First, it checks if the device it is targeting is exploitable. “If the device is confirmed to be exploitable then it will communicate with the C2 to acquire the files necessary to exploit the device and start its root service. This service will then be used to enable elevated device privileges such as access to accessibility services, notification content, package use state and the ability to ignore battery optimization,” the researchers added.

Google’s TAG said all the attacks it observed originated with a unique link sent to the target. Once clicked, the page attempted to get the user to download and install a malicious application on either Android or iOS. “In some cases, we believe the actors worked with the target’s ISP to disable the target’s mobile data connectivity,”

“We believe this is the reason why most of the applications masqueraded as mobile carrier applications. When ISP involvement is not possible, applications are masqueraded as messaging applications,” it added.

The group also notes while the malware wasn’t available on the Google Play Store, on iOS it was distributed via Apple’s Developer Enterprise Program. “These apps still run inside the iOS app sandbox and are subject to the exact same technical privacy and security enforcement mechanisms (e.g. code side loading) as any App Store apps. They can, however, be sideloaded on any device and don’t need to be installed via the App Store. We do not believe the apps were ever available on the App Store,”

How can I protect myself from this spyware?

Google on its part has warned all Android victims. It has also implemented changes in Google Play Protect and disabled Firebase projects used as C2 in this campaign.

Android and iOS users, on their part can download the latest version of mobile OS on their smartphones. Additionally, smartphone users should avoid downloading unknown apps or clicking on links from unknown sources.