According to a study published by Google’s Threat Analysis Group (TAG) (via TechCrunch). This supports earlier findings by security research group Lookout, which linked the spyware, dubbed Hermit, to Italian spyware vendor RCS Labs.
Lookout claims that RCS Labs is in the same line of work as NSO Group – the infamous surveillance company behind Pegasus spyware – and sells commercial spyware to various government agencies. Lookout researchers believe that Hermit has already been deployed by the Government of Kazakhstan and Italian authorities. In line with these findings, Google has identified victims in both countries and says it will notify affected users.
As described in Lookout’s report, Hermit is a modular threat that can download additional functionality from a command and control (C2) server. This allows the spyware to access call recordings, location, photos, and text messages on the victim’s device. Hermit is also capable of recording audio, making and intercepting phone calls, as well as rooting an Android device, giving him full control over its main operating system.
Spyware can infect both Android and iPhone by impersonating a legitimate source, usually in the form of a mobile carrier or messaging app. Google cybersecurity researchers found that some attackers were actually working with ISPs to disable a victim’s mobile data to continue their scheme. Malicious actors would then impersonate the victim’s mobile operator via text message and trick users into believing that a malicious app download will restore their internet connectivity. If the attackers were unable to work with an ISP, Google says they were impersonating seemingly genuine messaging apps that they trick users into downloading.
Lookout and TAG researchers claim that apps containing Hermit were never made available through Google Play or the Apple App Store. However, the attackers were able to distribute infected apps on iOS by enrolling in Apple’s Developer Enterprise program. This allowed bad actors to bypass the standard App Store verification process and obtain a certificate that “satisfies all iOS code signing requirements on all iOS devices”.
apple said The edge that it has since revoked any accounts or certificates associated with the threat. In addition to notifying affected users, Google has also sent an update to Google Play Protect to all users.