Google warns internet service providers helped distribute Hermit spyware

Google is warning of a sophisticated new spyware campaign that has seen malicious actors steal sensitive data from Android and iOS users in Italy and Kazakhstan. On Thursday, the company’s Threat Analysis Group (TAG) shared its findings on RCS Labs, a commercial spyware vendor based out of Italy.

On June 16th, security researchers at Lookout linked the firm to Hermit, a spyware program believed to have been first deployed in 2019 by Italian authorities as part of an anti-corruption operation. Lookout describes RCS Labs as an NSO Group-like entity. The firm markets itself as a “lawful intercept” business and claims it only works with government agencies. However, commercial spyware vendors have come under intense scrutiny in recent years, largely thanks to governments using the Pegasus spyware to target activists and journalists.

According to Google, Hermit can infect both Android and iOS devices. In some instances, the company’s researchers observed malicious actors work with their target’s internet service provider to disable their data connection. They would then send the target an SMS message with a prompt to download the linked software to restore their internet connection. If that wasn’t an option, the bad actors attempted to disguise the spyware as a legitimate messaging app like WhatsApp or Instagram.

What makes Hermit particularly dangerous is that it can gain additional capabilities by downloading modules from a command and control server. Some of the addons Lookout observed allowed the program to steal data from the target’s calendar and address book apps, as well as take pictures with their phone’s camera. One module even gave the spyware the capability to root an Android device.

Google believes Hermit never made its way to the Play or App stores. However, the company found evidence that bad actors were able to distribute the spyware on iOS by enrolling in Apple’s Developer Enterprise Program. Apple told The Verge that it has since blocked any accounts or certificates associated with the threat. Meanwhile, Google has notified affected users and rolled out an update to Google Play Protect.

The company ends its post by noting the growth of the commercial spyware industry should concern everyone. “These vendors are enabling the proliferation of dangerous hacking tools and arming governments that would not be able to develop these capabilities in-house,” the company said. “While use of surveillance technologies may be legal under national or international laws, they are often found to be used by governments for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers and opposition party politicians.”

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.

Read the rest at Engadget