Google says the distribution of Hermit spyware is linked to Internet service providers
According to the threat analysis team at Google (TAG), a sophisticated spyware distribution campaign is receiving help from several Internet service providers (ISPs) in targeting users. Download malicious apps. This shows that the previous findings from the Lookout security research group on Hermit (sourced from RCS Labs, the Italian spyware supplier) are completely correct.
According to the security research group, RCS Labs is directly linked to NSO Group - the company behind the infamous Pegasus spyware and specializes in providing commercial spyware to government agencies. Lookout believes the Hermit has been used by the Kazakh and Italian governments to spy on people. Google said that it has identified victims in both countries and will proceed to send notifications to affected users.
As described in the Lookout report, Hermit was able to access call records, location, photos, and text messages on victims' devices. In addition, it also helps bad guys record audio, make and block calls, root Android devices to take full control of the operating system.
This spyware can infect both Android and iOS platforms by disguising itself as a legitimate source, often in the form of a mobile service provider or messaging app to fool security tools. and users. After successful installation on the device, the software continues to download additional components (arbitrary code execution, remote control, tracking, data theft, etc.) via the remote server.
Google's threat analysts discovered that some attackers actually worked with ISPs to shut down victims' mobile data, then masquerade as service providers that send user-directed messages. used to download malicious apps with the pretext of helping to "restore internet connection".
Although Hermit spyware has never been offered through Google Play or the Apple App Store. However, the attackers were able to distribute the infected app on iOS by signing up for Apple's Enterprise Developer Program. This helps the bad guys bypass the App Store's standard censorship process and get a "meets all requirements on any iOS device" certificate.
Apple said that, after discovering this behavior, the company revoked any Hermit-related developer accounts or certificates. In addition to notifying affected users, Google has also rolled out the Google Play Protect update to all users.