Google has issued a warning about a high-grade malware strain that targets users of Android and iOS mobile devices.
A separate government- and enterprise-grade iOS and Android spyware variant is currently in circulation, according to Google Threat Analysis Group (TAG) experts Benoit Sevens and Clement Lecigne and Project Zero.
In Kazakhstan and Italy, victims have been found. The surveillance software, known as Hermit, is modular. Researchers from Lookout cybersecurity firm said the malware will attempt to root devices and has functions like recording audio, rerouting or making phone calls, collecting vast amounts of data like SMS messages, call logs, contact lists, photographs, and GPS position data.
The investigation by Lookout, which was released on June 16, revealed that the spyware is distributed through nefarious SMS messages. Similar to TAG’s conclusion, special URLs are provided to a target pretending to be communications from an internet service provider (ISP) or messaging software.
In some instances, according to Google, we think the actors collaborated with the target’s ISP to block the target’s mobile data connectivity. After disabling the target’s data connectivity, the attacker would give them a malicious link through SMS demanding them to install a programme to restore it.
Only an Android version of Hermit could be obtained by the Lookout team, but thanks to Google, the probe now includes an iOS sample as well. Neither sample could be found in the official Apple or Google app stores. The spyware-filled programmes were instead downloaded from external hosts.
After permitting the installation of mobile apps from unknown sources, the Android sample demands a victim to download an.APK. The malware exploited Firebase as a component of its command-and-control (C2) infrastructure and pretended to be a Samsung programme.
The coding alludes to the presence of exploits that may be downloaded and executed, the researchers believe, even if the APK itself does not include any exploits.
To safeguard users from the app’s criminal activity, Google has changed Google Play Protect and notified Android users who were affected by the app.
The connected Firebase projects with the spyware have also been disabled.
The iOS sample contains a privilege escalation exploit that could be activated by six vulnerabilities and was signed with a certificate obtained from the Apple Developer Enterprise Program.
In addition to the four that were already known (CVE-2018-4344, CVE-2019-8605, CVE-2020-3837, and CVE-2020-9907), two others, CVE-2021-30883 and CVE-2021-30983, were rumoured to have been used as zero-day exploits in the wild before Apple patched them in December 2021. The company that makes the iPad and iPhone has also withdrawn the credentials linked to the Hermit campaign.
According to Google and Lookout, the malware is probably the work of Italian business RCS Lab, in business since 1993.
The company, according to RCS Lab, “exports its products in line with both national and European rules and regulations,” and “any sales or implementation of products is undertaken only after acquiring an official authorization from the appropriate authorities,” the company informed TechCrunch.
Hermit’s popularity simply draws attention to a bigger problem: the booming spyware and digital surveillance sector. Google provided testimony last week during the hearing on the use of Pegasus and other commercial-grade spyware held by the EU Parliamentary Committee of Inquiry.
While their use may be legal, according to Charley Snyder, Head of Cybersecurity Policy at Google, “they are often found to be used by governments for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers & politicians,” according to TAG, which is currently tracking over 30 vendors that offer exploits or spyware to government-backed entities.
Because of this, Snyder said, “Google takes action to safeguard users as well as publish information publicly to raise awareness and benefit the ecosystem” when it learns of such activity.
