According to Google Threat Analysis Group (TAG) researchers Benoit Sevens and Clement Lecigne, as well as Project Zero, a distinct government and enterprise-grade iOS and Android spyware variant is now in active circulation.
Victims have been located in Italy and Kazakhstan.
The spyware, dubbed Hermit, is modular surveillanceware. After analyzing 16 out of 25 known modules, Lookout cybersecurity researchers said the malware will try to root devices and has features including: recording audio, redirecting or making phone calls, stealing swathes of information such as SMS messages, call logs, contact lists, photos, and exfiltrating GPS location data.
SEE: Phishing gang that stole millions by luring victims to fake bank websites is broken up by police
Lookout’s analysis, published on June 16, suggested that the spyware is sent via malicious SMS messages. TAG’s conclusion is similar, with unique links sent to a target masquerading as messages sent by an internet service provider (ISP) or a messaging application.
“In some cases, we believe the actors worked with the target’s ISP to disable the target’s mobile data connectivity,” Google says. “Once disabled, the attacker would send a malicious link via SMS asking the target to install an application to recover their data connectivity.”
The Lookout team could only secure an Android version of Hermit, but now, Google’s contribution has added an iOS sample to the investigation. Neither sample was found in official Google or Apple app repositories. Instead, the spyware-laden apps were downloaded from third-party hosts.
The Android sample requires a victim to download an .APK after allowing the installation of mobile apps from unknown sources. The malware disguised itself as a Samsung app and used Firebase as part of its command-and-control (C2) infrastructure.
“While the APK itself does not contain any exploits, the code hints at the presence of exploits that could be downloaded and executed,” the researchers say.
Google has notified Android users impacted by the app and made changes in Google Play Protect to protect users from the app’s malicious activities. Additionally, the Firebase projects associated with the spyware have been disabled.
The iOS sample, signed with a certificate obtained from the Apple Developer Enterprise Program, contained a privilege escalation exploit that could be triggered by six vulnerabilities.
While four (CVE-2018-4344, CVE-2019-8605, CVE-2020-3837, CVE-2020-9907) were known, two others – CVE-2021-30883 and CVE-2021-30983 – were suspected of being exploited in the wild as zero-days before Apple patched them in December 2021. The iPad and iPhone maker has also revoked the certificates associated with the Hermit campaign.
Google and Lookout say that the spyware is likely attributable to RCS Lab, an Italian company in operation since 1993.
RCS Lab told TechCrunch that the firm “exports its products in compliance with both national and European rules and regulations,” and “any sales or implementation of products is performed only after receiving an official authorization from the competent authorities.”
SEE: Ransomware attacks: This is the data that cyber criminals really want to steal
Hermit’s circulation only highlights a broader issue: the thriving spyware and digital surveillance industry.
Last week, Google testified at the EU Parliamentary Committee of Inquiry’s hearing on the use of Pegasus and other commercial-grade spyware.
TAG is currently tracking over 30 vendors that offer exploits or spyware to government-backed entities, and according to Charley Snyder, head of cybersecurity policy at Google, while their use may be legal, “they are often found to be used by governments for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers & politicians.”
“That’s why when Google discovers these activities, we not only take steps to protect users, but disclose that information publicly to raise awareness & help the ecosystem,” Snyder commented.
Previous and related coverage
NSO Group’s Pegasus spyware used against journalists, political activists worldwide: reportHow to find and remove advanced spyware from your iOS, Android phoneVidar spyware is now hidden in Microsoft help files
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0