The ‘Hermit’ has the latest sophisticated spyware in the news, and it’s believed Has targeted iPhones and Android devices in Italy and Kazakhstan. The deployment of Hermit — the spyware developed by an Italian vendor called RCS Lab — was first reported by cybersecurity researchers at Lookout, a San-Francisco-based cybersecurity firm. Then Google’s Threat Analysis Group (TAG) put out a detailed blog post last week detailing how they believe Hermit was used to target devices,
What is Hermit and what exactly does it do on the device?
Hermit is a spyware on the lines of Pegasus by NSO Group. Once installed on the device, it can record audio on the device, make unauthorized calls and perform many unauthorized activities. According to Lookout, spyware can steal stored account email, contacts, browser bookmarks/search, calendar events and more. It can also take pictures on the device, steal device information such as application details, kernel information, model, manufacturer, etc. OS, security patches, phone numbers, etc. It can also download and install APK (App software file on Android) on the compromised phone.
Spyware can also upload files from the device, read notifications and take pictures of the screen. Since it can gain root access or ‘privileged’ access to the Android system, Lookout’s research has shown, it can uninstall apps like Telegram and WhatsApp. According to researchers, spyware can silently uninstall/reinstall Telegram. Leaving the reinstalled version likely to be a compromise. It can also steal data from old apps. For WhatsApp, it may prompt the user to reinstall WhatsApp via the Play Store.
Therefore, once Hermit has been deployed on a phone, it can control and track data from all major applications.
How is Hermit deployed on Android and iOS devices?
Sophisticated spyware like Hermit and Pegasus cost millions of dollars in license fees, and are not simple operations. It is not like normal malware targeting regular users. And in the case of the Hermit, it appears that the operations used were complicated. According to Google’s TAG team, all campaigns started with a unique link sent to the victim’s phone. When the user clicked, the page installed the application on both Android and iOS.
But how did they surpass the security measures of both Apple and Google?
According to Google, they believed that the actors targeting the victims had to work with the target’s ‘Internet Service Provider’ or ISP. Google notes, “We believe that the actors worked with the target’s ISP to disable the target’s mobile data connectivity. Once disabled, attackers could send a malicious link via SMS to the target to access their data.” Will ask to install an application to recover connectivity. We believe this is the reason why most applications masquerade as mobile carrier applications.”
When ISP involvement was not possible, the spyware would pretend to be a messaging app. According to Google’s screenshot example, the link will pretend to be a recovery page for a Facebook account and will ask users to download a version of WhatsApp, Instagram or Facebook. This was back when the device was Android. These were clearly the compromised versions of these messaging apps.
According to Lookout, some of the attacks in Kazakhstan are shown in the form of pages for Oppo, Samsung and Vivo – all well-known phone brands. In addition, their research shows that RCS Lab has also worked with Tykelab Srl, a telecom solutions company. Lookout believes it is likely a “front company” for RCS Lab, and their blogpost claims to show several links between these two.
In Apple’s case, Google’s research revealed that spyware exploited Apple’s Enterprise Certificate, which is awarded to apps by select enterprises. This certification allows companies to distribute their in-house apps for direct download on iOS devices, bypassing the App Store. ‘Hermit spyware’ apps had managed to obtain these certificates – which were later revoked by Apple.
Google said that the company, named 3-1 Mobile SRL, had the required certification because it was enrolled in the Apple Developer Enterprise Program. Google also emphasized that they “do not believe that apps were ever available on the App Store.” These apps, once installed, took advantage of a number of known flaws and other zero-day exploits to gain greater access and monitoring. According to A new report from 9to5MacApple has now revoked the certificates for these compromised apps.
what next? How can users protect themselves?
That said, Hermit is not a normal spyware. Lookout’s analysis shows that in Kazakhstan, “a unit of the national government is likely to be behind the campaign.” Google also noted that it has identified and alerted all Android victims in Italy and Kazakhstan. It also said that it has implemented changes to Google Play Protect and has disabled all Firebase projects used to try and control the campaign.
Lookout also states that they have seen it stationed in Syria. In Italy, documents showed it was misused in an anti-corruption campaign. “The document mentions the iOS version of Hermit and links RCS Lab and TykeLab to malware, which confirms our analysis,” notes the blog.
According to him, “mobile devices are perfect targets for surveillance.” While not all of us will be targeted, users should continue to follow basic tips. This includes updating your phone regularly, as each update includes a patch for previously known or unknown vulnerabilities. Once again, users should avoid clicking on unknown links, even if done out of curiosity. It is also recommended that users periodically review the apps on their devices to see if something unknown was added.
Google’s blog post also strongly condemns the surveillance tools being used by the state, and notes that in many instances, they are being used “by governments for purposes contrary to democratic values: dissidents, journalists, human rights.” Targeting activists and politicians of the opposition party”.
Meanwhile, RCS Labs has denied any wrongdoing, saying its products and services comply with European regulations and help law enforcement investigate crimes, as reported by Reuters.
