Earlier, Lookout security researchers linked Android spyware called Hermit with the Italian RCS Lab software company. Now, Google threat researchers have confirmed most of Lookout’s findings and are issuing a warning to Android users who have been compromised by Hermit’s mobile spyware.
Lookout and Google pointed out that Hermit was confirmed as official-backed commercial spyware, with victims mainly in Kazakhstan and Italy, but also in northern Syria.
The spyware has various modules to obtain relevant functions from its command and control server (C&C) as needed, such as collecting call logs, recording ambient audio, redirecting calls, and stealing photos, messages, and emails on the victim’s device and precise positioning.
Lookout analysis found that the Hermit spyware works on all Android versions and attempts to root an infected Android device.
Malicious links sent by attackers via text messages lure victims into downloading and installing malware from external app stores. Typically, Hermit disguises itself as a major communications brand or messaging app.
In addition, in a blog post on Thursday, Google found evidence that actors behind the scenes teamed up with targeted ISPs to cut mobile data connections. It is presumed to lure victims to download the app under the guise of restoring the connection.
Google further analyzed samples of spyware targeting iPhones and found that Hermit’s iOS app abused Apple’s enterprise developer certificate to allow spyware to be loaded from external app stores.
The spyware exploits six different vulnerabilities, two of which are undisclosed zero-days. To make matters worse, Apple knew that one of the 0-Day vulnerabilities had been actively exploited before the fix was complete. Thankfully, both tech giants said they have not found Android/iOS versions of Hermit spyware in the official app store.
Google has now sent a warning notice to users of infected Android devices and updated the system’s built-in Google Play Protect safety scanner to prevent the spyware from running. In addition, Google shut down the Firebase account used by the spyware to communicate with the server but did not disclose how many Android devices were affected by the Hermit spyware.
Apple spokesman Trevor Kincaid said the company had revoked all known accounts and credentials associated with the spyware campaign. It’s unclear exactly what Hermit’s spyware was targeting, but with notorious cases such as NSO Group and Candiru, it’s not hard to speculate.
If you like our news and you want to be the first to get notifications of the latest news, then follow us on Twitter and Facebook page and join our Telegram channel. Also, you can follow us on Google News for regular updates.