Attackers collude with ISP insiders to distribute Hermit spyware on Android and iOS
3 min readAttackers collude with ISP insiders to distribute Hermit spyware on Android and iOS
- An American company made 0.7nm chips: EUV lithography machines can’t do it
- CVE-2007-4559 Python vulnerability ignored for 15 years puts 350,000 projects at risk of code execution
- RISC-V only takes 12 years to achieve the milestone of 10 billion cores
- 14000 cores + 450W: RTX 4080 graphics card perfectly replaces the RTX 3080
- Big upgrade: The difference between Bluetooth 5.0 and 5.2
- Geeks Disappointed that RTX 4080/4090 doesn’t come with PCIe 5.0
- What are advantages and disadvantages of different load balancing?
Attackers collude with ISP insiders to distribute Hermit spyware on Android and iOS.
A sophisticated spyware campaign is being surreptitiously helped by Internet Service Provider (ISP) insiders to trick users into downloading malicious apps, according to research published by Google’s Threat Analysis Group (TAG).
This confirms earlier findings by security research group Lookout, which linked the spyware, dubbed Hermit, to Italian spyware vendor RCS Labs.
A case of a hacked and tampered website
Lookout said RCS Labs is the same company as NSO Group, the notorious surveillance hire firm behind the Peg ASUS spyware, which sells commercial spyware to government agencies at all levels.
Lookout researchers believe Hermit has been deployed by the Kazakh government and Italian authorities.
Based on the findings, Google has identified victims in both countries and said it will notify affected users.
As described in the Lookout report, Hermit is a modular threat that can download additional functionality from a command and control (C2) server.
This allows the spyware to access call logs, locations, photos and text messages on the victim’s device.
Hermit can also record audio, make and intercept calls, and root Android devices, which gives it full control over its core operating system.
“Apps containing Hermit are never available through Google Play or the Apple App Store”
This spyware can infect Android and Apple iPhones by disguising itself as a legitimate source , usually in the form of a mobile carrier or messaging app.
Google’s cybersecurity researchers have found that some attackers are actually working with internet service providers to turn off victims’ mobile data in order to advance their schemes.
Bad actors would then impersonate the victim’s mobile carrier via text message, tricking users into believing that downloading a malicious app would restore their internet connection.
If attackers can’t work with ISPs, Google says they’ll pretend to be authentic-looking messaging apps and trick users into downloading them.
The Lookout and TAG researchers said that the Hermit-containing app was never made available through Google Play or the Apple App Store.
However, attackers were able to distribute infected apps on iOS by enrolling in Apple’s Developer Enterprise Program.
This allows malicious actors to bypass the App Store’s standard review process and obtain certificates that “meet all iOS code signing requirements on any iOS device.”
Apple said it was aware of and revoked any accounts or credentials associated with the threat.
In addition to notifying affected users, Google has also pushed the Google Play Protect update to all users.
Read the full safety report:
- DIY a PBX (Phone System) on Raspberry Pi
- How to host multiple websites on Raspberry Pi 3/4?
- A Free Intercom/Paging system with Raspberry pi and old Android phones
- DIY project: How to use Raspberry Pi to build DNS server?
- Raspberry Pi project : How to use Raspberry Pi to build git server?
