Cloud Hosting

Hermit is the latest sophisticated spyware in the news, and it is believed to have targeted iPhones and Android devices in Italy and Kazakhstan. Hermits deployment the spyware has been developed by an Italian vendor called RCS Lab was first reported by cyber security researchers at the Lookout, a San-Francisco-based cybersecurity firm. Then Googles Threat Analysis Group (TAG) put out a detailed blog post last week, explaining how they believed Hermit was used to target devices.

Hermit is a spyware on the lines of Pegasus by NSO Group. Once installed on a device, it can record audio on the device, carry out unauthorised calls, and carry out many unauthorised activities. According to Lookout, the spyware can steal stored account emails, contacts, browser bookmarks/searches, calendar events, etc. It can also take pictures on the device, steal device information such as details about applications, the kernel information, model, manufacturer, OS, security patch, phone number, etc. It can also download and install APK (the app software files on Android) on a compromised phone.

The spyware can also upload files from the device, read notifications, and take pictures of the screen. Because it can gain access to the root or the privilege access of an Android system, Lookouts research showed, it can uninstall apps like Telegram and WhatsApp. According to the researchers, the spyware can silently uninstall/reinstall Telegram. Except the reinstalled version is likely a compromised one. It can also steal data from the old app. For WhatsApp, it can prompt the user to reinstall WhatsApp via Play Store.

So, once Hermit has been deployed to a phone, it can control and track data from all key applications.

Sophisticated spyware such as Hermit and Pegasus cost millions of dollars in licensing fees, and these are not simple operations. Its not like common malware targeting regular users. And in the case of Hermit, it appears the operations used were complex. According to Googles TAG team, all campaigns started with a unique link sent to the victims phone. When the user clicked, the page installed the application on both Android and iOS.

According to Google, they believed the actors targeting the victims had to work with the targets Internet Service Provider or ISP. Google notes, We believe the actors worked with the targets ISP to disable the targets mobile data connectivity. Once disabled, the attacker would send a malicious link via SMS asking the target to install an application to recover their data connectivity. We believe this is the reason why most applications masquerade as mobile carrier applications.

When ISP involvement was not possible, the spyware would pretend to be a messaging app. According to Googles screenshot example, the link would pretend to be a recovery page for a Facebook account and ask users to download a version of either WhatsApp, Instagram or Facebook. This is when the device was an Android. These were obviously compromised versions of these messaging apps.

According to Lookout, some attacks in Kazakhstan masqueraded as pages for Oppo, Samsung and Vivo all well-known phone brands. Further, their research shows that RCS Lab also worked with Tykelab Srl, a telecommunications solutions company. Lookout believe that this is likely a front company for RCS Lab, and their blogpost claims to show several links between these two.

In Apples case, Googles research showed that the spyware exploited Apples enterprise certificate, which is given to apps by select enterprises. This certification allows companies to distribute their own in-house apps for direct downloads on iOS devices, bypassing the App Store. The Hermit spyware apps had managed to get these certifications which have since been revoked by Apple.

Google said that a company named 3-1 Mobile SRL had the necessary certificate, as it was enrolled in the Apple Developer Enterprise Program. Google also stressed they do not believe the apps were ever available on the App Store. These apps once installed exploited several known flaws and other zero-day exploits to gain more access and carry out surveillance. According to a new report by 9to5Mac, Apple has now revoked the certificates for these compromised apps.

As noted, Hermit is not a common spyware. Lookouts analysis shows that in Kazakhstan, an entity of the national government is likely behind the campaign. Google also noted that it had identified and alerted all Android victims in Italy and Kazakhstan. It also said it had implemented changes in Google Play Protect and disabled all Firebase projects used to command and control the campaign.

Lookout also states theyve seen this deployed in Syria. In Italy, documents showed it had been misused in an anti-corruption operation. The document mentioned an iOS version of Hermit and linked RCS Lab and Tykelab to the malware, which corroborates our analysis, notes the blog.

According to them, mobile devices are the perfect target for surveillance. While not all of us will be targeted, users should continue to follow basic tips. This includes regularly updating your phones, as each update includes a patch for previously known or unknown vulnerabilities. Once again, users should avoid clicking on unknown links, even if done out of curiosity. It is also recommended that users periodically review apps on their device to keep track of whether something unknown was added.

Newsletter | Click to get the days best explainers in your inbox

Googles blog post also offers strong condemnation of surveillance tools being used by the state, and notes that in many instances, these are being used by governments for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers and opposition party politicians.

Meanwhile, RCS Labs has denied any wrongdoing, saying its products and services comply with European rules and help law enforcement investigate crimes, as per a Reuterss report.

More:
What is Hermit spyware? - The Indian Express