After the WhatsApp-Pegasus disclosure, Google has now found evidence of an enterprise grade Android spyware targeting high profile users and has identified victims located in Italy and Kazakhstan.
Recently, cybersecurity researchers at Lookout Threat Lab had uncovered an enterprise-grade Android surveillance-ware. Dubbed ‘Hermit,’ the spyware Is likely developed by Italian spyware vendor RCS Lab S.p.A and Tykelab Srl, a telecommunications solutions company that Lookout suspected operated as a front company.
Google, in a recent blogpost, confirmed the same malware family targeting users that was described in detail by Lookout on June 16.
In the blogpost, Google detailed these capabilities, attributing it to RCS Labs, an Italian vendor, “that uses a combination of tactics, including atypical drive-by downloads as initial infection vectors, to target mobile users on both iOS and Android.”
The Pegasus parallel
According to Lookout, RCS Lab operates in the same market as Pegasus developer NSO Group Technologies and Gamma Group, which created FinFisher.
Pegasus has been under the scanner after security researchers found the spyware being used across the globe to target individuals, including human rights activists and journalists. The spyware can be used to remotely break into iPhones, providing deep access into the target’s phone.
“Collectively branded as “lawful intercept” companies, they claim to only sell to customers with legitimate use for surveillance-ware, such as intelligence and law enforcement agencies. In reality, such tools have often been abused under the guise of national security to spy on business executives, human rights activists, journalists, academics and government officials,” Lookout said in a post.
Malicious links sent
According to Google, all campaigns concerning the spyware that were observed originated with a unique link sent to the target. “Once clicked, the page attempted to get the user to download and install a malicious application on either Android or iOS. In some cases, we believe the actors worked with the target’s ISP to disable the target’s mobile data connectivity,” it explained.
“Once disabled, the attacker would send a malicious link via SMS asking the target to install an application to recover their data connectivity. We believe this is the reason why most of the applications masqueraded as mobile carrier applications. When ISP involvement is not possible, applications are masqueraded as messaging applications,” it added.
These malicious apps can disguise themselves as legitimate apps.
Though the applications were never available in Google Play, Google has notified the Android users of infected devices and implemented changes in Google Play Protect to protect all users. It has also disabled Firebase projects used in the campaign.
How it works
According to Lookout, Hermit hides its malicious capabilities in packages downloaded after it’s deployed. It can exploit a rooted device, record audio and even make and redirect phone calls, as per the Lookout report. The spyware can also collect data such as call logs, contacts, photos, device location and SMS messages.
Google also analysed Hermit’s operations on iOS. According to the tech giant, the spyware exploits Apple enterprise developer certificates. The malicious apps can be sideloaded on any device and don’t need to be installed via the App Store. Google further said that it did not believe that the apps were ever available on the App Store.
Previous uses
According to Lookout, Hermit has been deployed previously by Italian authorities in an anti-corruption operation in 2019. It has also found evidence suggesting that an unknown actor used it in northeastern Syria.
Google did not specify how many users were impacted by the spyware.
Published on
June 24, 2022