Google Warns Internet Service Providers Helped Distribute Hermit Spyware


Google is warning of a sophisticated new spyware campaign that has seen malicious actors steal sensitive data from Android and iOS users in Italy and Kazakhstan. On Thursday, the company’s Threat Analysis Group (TAG) shared its findings on RCS Labs, a commercial spyware vendor based in Italy.

On June 16, security researchers linked the company to Hermit, spyware that was reportedly first deployed in 2019 by Italian authorities as part of an anti-corruption operation. Lookout describes RCS Labs as an NSO Group-like entity. The company advertises itself as a “lawful interception” company and claims that it only works with government agencies. However, commercial spyware vendors have come under intense scrutiny in recent years, thanks in large part to governments using Pegasus spyware for .

According to Google, Hermit can infect Android and iOS devices. In some cases, the company’s researchers observed malicious actors working with their target’s Internet service provider to disable their data connection. They would then send the target an SMS message with a prompt to download the related software to restore their Internet connection. If that wasn’t an option, bad actors tried to disguise the spyware as a legitimate messaging app like WhatsApp or Instagram.

What makes Hermit particularly dangerous is that he can gain additional abilities by downloading mods from a command and control server. Some of the addons observed by Lookout allowed the program to steal data from the target’s calendar and address book apps, as well as take photos with their phone’s camera. A module even gave the spyware the ability to root an Android device.

Google thinks Hermit never made its way to the Play or App stores. However, the company found evidence that bad actors were able to distribute the iOS spyware by registering with Apple. apple said that it has since blocked all accounts or certificates associated with the threat. Meanwhile, Google notified affected users and rolled out an update to Google Play Protect.

The company ends its article by noting that the growth of the commercial spyware industry should concern everyone. “These vendors enable the proliferation of dangerous hacking tools and arm governments that may not be able to develop these capabilities internally,” the company said. “Although the use of surveillance technologies may be legal under national or international laws, it is often seen that they are used by governments for purposes contrary to democratic values: targeting dissidents, journalists, defenders of human rights and opposition party politicians.”


Comments are closed.