Seriously! TAG Google Finds Help From ISPs To Deploy Spyware Hermit

Spyware Hermit spreads with the help of ISPs. (photo: doc. pixabay)

JAKARTA - Advanced spyware campaigns are getting help from internet service providers (ISPs) to trick users into downloading malicious applications. This is revealed, according to research published by Google's Technical Analysis Group (TAG).

It also corroborates previous findings from security research group Lookout, which has linked the spyware, dubbed Hermit, to Italian spyware vendor RCS Labs.

Lookout says RCS Labs is on the same path as the NSO Group, the notorious surveillance leasing company behind the Pegasus spyware. NSO Group has been peddling their commercial spyware to various government agencies.

Researchers at Lookout believe the Hermits have been deployed by the Kazakh government and Italian authorities. In line with these findings, Google has identified victims in both countries and said it would notify affected users of the spyware.

Described in the Lookout report, Hermit is a modular threat that can download additional capabilities from the command and control (C2) server. This allows the spyware to access call logs, locations, photos, and text messages on the victim's device.

Hermit can also record audio, make and intercept phone calls, and root Android devices, giving it complete control over its core operating system.

This spyware can infect Android and iPhone by masquerading as a legitimate source, usually in the form of a cellular carrier or messaging app.

Google's cybersecurity researchers have also found that some attackers actually work with ISPs to shut down victims' mobile data to further their schemes. The malicious actors will then impersonate the victim's mobile operator via SMS and trick users into believing that downloading a malicious app will restore their internet connectivity.

If attackers can't work with ISPs, Google says they are posing as apparently genuine messaging apps that trick users into downloading.

Researchers from Lookout and TAG also said apps containing Hermit were never available through Google Play or the Apple App Store. However, attackers can distribute infected apps on iOS by enrolling in the Apple Developer Enterprise Program.

This allows bad actors to bypass the standard App Store vetting process and obtain a certificate that “meets all iOS code signing requirements on any iOS device.”

Apple told The Verge it had revoked the account or certificate associated with the threat. Apart from notifying affected users, Google has also pushed the Google Play Protect update to all users.