According to research from Google’s Threat Analysis Group (TAG), a sophisticated spyware operation is using internet service providers (ISPs) to lure people into installing dangerous programmes (via TechCrunch). This supports prior research from the security company Lookout, which connected the spyware, known as Hermit, to the Italian spyware maker RCS Labs. Lookout claims that RCS Labs sells commercial spyware to numerous government agencies and works in the same industry as NSO Group, the notorious surveillance-for-hire business that created the Pegasus spyware. Hermit, according to researchers at Lookout, has already been used by the governments of Italy and Kazakhstan. According to these results, Google has identified victims in both nations and says it will inform the individuals who are impacted.
Hermit is a modular threat that may download further capabilities via a command and control (C2) server, according to the description in Lookout’s report. By doing this, the spyware is given access to the call logs, location, pictures, and text messages on the victim’s cellphone. Hermit can also initiate and receive phone calls, capture audio, and root an Android smartphone to gain complete access to the operating system. By posing as a trusted source, usually a cell carrier or messaging app, the malware may infect both Android and iPhones. Google discovered that some attackers actively collaborated with ISPs to disable a victim’s mobile data in order to progress their plan. The malicious programme download would then lead consumers to believe that their internet access will be restored, tricking the bad guys into posing as the victim’s cell carrier through SMS. In the event that attackers were unable to cooperate with an ISP, according to Google, they pretended to be genuine-looking chat applications and tricked users into installing them.
Hermit-containing applications, according to researchers from Lookout and TAG, were never made accessible through the Google Play or Apple App Stores. However, by joining Apple’s Developer Enterprise Program, attackers were able to spread compromised programmes on iOS. This made it possible for malicious users to get a certificate that “satisfies all of the iOS code signing criteria on any iOS devices” without going through the App Store’s usual verification process.
For more such updates on latest news, keep reading on techinnews.com
