Google has warned of an enterprise-grade spyware strain targeting Android and iOS mobile device users.
According to researchers from Google Threat Analysis Group (TAG) Benoit Sevens and Clement Lesigne, as well as Project Zero, a separate government and enterprise-grade iOS and Android spyware version is now in active circulation.
The victims are located in Italy and Kazakhstan.
Spyware, called Hermit, is modular surveillanceware. After analyzing 16 out of 25 known modules, Lookout cyber security researchers said the malware will try to root devices and features include: recording audio, redirecting or making phone calls, SMS messages, call logs, Stealing information like contact list, photos. , and taking out the GPS location data.
Lookout’s analysis, published on June 16, suggested that the spyware is sent through malicious SMS messages. The TAG’s conclusion is the same, unique links sent to the target are in the form of messages sent by an Internet Service Provider (ISP) or messaging application.
“In some cases, we believe that the actors worked with the target’s ISP to disable the target’s mobile data connectivity,” Google says. “Once disabled, the attacker will send a malicious link via SMS asking the target to install an application to recover their data connectivity.”
The Lookout team could only secure the Android version of the Hermit, but now, a Google contribution has added an iOS sample to the investigation. Neither sample was found in the official Google or Apple app repositories. Instead, spyware-laden apps were downloaded from third-party hosts.
The Android sample for Android requires the victim to download the .apk after allowing the installation of mobile apps from unknown sources. The malware disguised itself as a Samsung app and used Firebase as part of its command-and-control (C2) infrastructure.
“While the APK does not contain any exploits, the code hints at the presence of exploits that can be downloaded and executed,” say the researchers.
Google has notified Android users affected by the app and made changes to Google Play Protect to protect users from malicious activities of the app. Additionally, Firebase projects involving spyware have been disabled.
An iOS sample signed with a certificate obtained from the Apple Developer Enterprise Program contained a privilege escalation exploit that could be triggered by six vulnerabilities.
While four (CVE-2018-4344, CVE-2019-8605, CVE-2020-3837, CVE-2020-9907) were known, two others – CVE-2021-30883 and CVE-2021-30983 – were suspected. They were being exploited in the wild as Zero Days before Apple patched them in December 2021. The iPad and iPhone maker has also revoked certificates associated with the Hermit campaign.
Google and Lookout say the spyware may have been caused by RCS Lab, an Italian company operating since 1993.
RCS Lab told TechCrunch that the firm “exports its products in compliance with both national and European rules and regulations,” and that “any sale or implementation of the products is carried out only after obtaining official authorization from the competent authorities.” ”
Hermit’s circulation only highlights a broader issue: the thriving spyware and digital surveillance industry.
Last week, Google testified at an EU parliamentary inquiry committee hearing on the use of Pegasus and other commercial-grade spyware.
TAG is currently tracking more than 30 vendors that provide exploits or spyware to government-backed entities, and according to charlie snyderWhile their use may be legal, “they are often used by governments for purposes contrary to democratic values: targeting dissidents, journalists, human rights activists and politicians.”
“So when Google becomes aware of these activities, we not only take steps to protect users, but also publicly disclose that information to raise awareness and help the ecosystem,” Snyder commented. Of.
Previous and related coverage
Have a tip? Contact securely via WhatsApp. Signal on +447713 025 499, or more at Keybase: charlie0