Google is notifying Android users targeted by Hermit government-grade spyware – Meczyki.Net

Security Researcher at Lookout Recently a previously unreleased Android mobile spyware named Hermit has been linked to Italian software house RCS Lab. Now, Google threat researchers have confirmed most of Lookout’s findings and are notifying Android users whose devices were compromised by spyware.

According to Lookout and Google, Hermit is a commercial spyware used by governments with victims in Kazakhstan and Italy. Lookout says it has also seen spyware deployed in northern Syria. Spyware uses various modules, which it downloads from its command and control servers, to collect call logs, record ambient audio, redirect phone calls, and send photos, messages, emails and the exact location of the device to the victim’s device. to collect. Lookout said in its analysis That Hermit, which works on all Android versions, also tries to root an infected Android device, giving spyware even deeper access to the victim’s data.

Lookout said targeted victims are sent a malicious link by text message and are tricked into downloading and installing the malicious app — posing as a legitimate branded telco or messaging app — from outside the App Store. .

According to a new blog post Published on Thursday and shared with Meczyki.Net ahead of its publication, Google said it has found evidence that government actors under the control of spyware have in some cases used targets to cut off their mobile data connectivity to the Internet. Worked with the provider, possibly downloading a telco-themed app under the guise of restoring connectivity as a lure to defraud the target.

Google also analyzed a sample of Hermit spyware targeting iPhones, which Lookout previously said it was unable to obtain. According to Google’s findings, the Hermit iOS app — which abuses Apple Enterprise Developer certificates to allow spyware to be sideloaded onto a victim’s device from outside the App Store — is fraught with six different exploits, of which There were two never-before-seen vulnerabilities – or zero-days – at the time of their discovery. one of zero-day vulnerabilities Apple was known for being actively exploited It was fixed before.

According to both companies, neither the Android nor iOS versions of Hermit spyware were found in the App Store. Google said it has “notified Android users of infected devices,” and has updated Google Play Protect, the app safety scanner built into Android, to prevent the app from running. Google said it has also pulled the plug on spyware’s Firebase account, which the spyware used to communicate with its servers.

Google did not say how many Android users it was notifying.

Apple spokesman Trevor Kincaid told Meczyki.Net that Apple has revoked all known accounts and certificates associated with this spyware campaign.

Hermit is the latest government-grade spyware deployed by state agencies. While it is not known who has been targeted by governments using Hermit, similar mobile spyware developed by hacking-for-hire companies such as NSO Group and Candiru has been linked to surveillance of journalists, activists and human rights defenders.

When reached for comment, RCS Lab provided an unrestricted statement, which read in part:

RCS Lab exports its products in compliance with both national and European rules and regulations. Any sale or implementation of the products is done only after obtaining official authorization from the competent authorities. Our products are delivered and installed at approved customers’ premises. RCS Lab personnel are not exposed, nor participate in any activities conducted by the respective clients.


You can contact this reporter on Signal and WhatsApp at +1 646-755-8849 or by email at [email protected]