October 1, 2022

COSFONE

Networking, PBX, IT, DIY Solution

Attackers collude with ISP insiders to distribute Hermit spyware on Android and iOS

3 min read

Attackers collude with ISP insiders to distribute Hermit spyware on Android and iOS



Attackers collude with ISP insiders to distribute Hermit spyware on Android and iOS.

A sophisticated spyware campaign is being surreptitiously helped by Internet Service Provider (ISP) insiders to trick users into downloading malicious apps, according to research published by Google’s Threat Analysis Group (TAG).

This confirms earlier findings by security research group Lookout, which linked the spyware, dubbed Hermit, to Italian spyware vendor RCS Labs.

Attackers collude with ISP insiders to distribute Hermit spyware on Android and iOS

A case of a hacked and tampered website

Lookout said RCS Labs is the same company as NSO Group, the notorious surveillance hire firm behind the Peg ASUS spyware, which sells commercial spyware to government agencies at all levels.

Lookout researchers believe Hermit has been deployed by the Kazakh government and Italian authorities.

Based on the findings, Google has identified victims in both countries and said it will notify affected users.

As described in the Lookout report, Hermit is a modular threat that can download additional functionality from a command and control (C2) server.

This allows the spyware to access call logs, locations, photos and text messages on the victim’s device.

Hermit can also record audio, make and intercept calls, and root Android devices, which gives it full control over its core operating system.

“Apps containing Hermit are never available through Google Play or the Apple App Store”

This spyware can infect Android and Apple iPhones by disguising itself as a legitimate source , usually in the form of a mobile carrier or messaging app.

Google’s cybersecurity researchers have found that some attackers are actually working with internet service providers to turn off victims’ mobile data in order to advance their schemes.

Bad actors would then impersonate the victim’s mobile carrier via text message, tricking users into believing that downloading a malicious app would restore their internet connection.

If attackers can’t work with ISPs, Google says they’ll pretend to be authentic-looking messaging apps and trick users into downloading them.

The Lookout and TAG researchers said that the Hermit-containing app was never made available through Google Play or the Apple App Store.

However, attackers were able to distribute infected apps on iOS by enrolling in Apple’s Developer Enterprise Program.

This allows malicious actors to bypass the App Store’s standard review process and obtain certificates that “meet all iOS code signing requirements on any iOS device.”

Apple said it was aware of and revoked any accounts or credentials associated with the threat.

In addition to notifying affected users, Google has also pushed the Google Play Protect update to all users.

Read the full safety report:

https://blog.google/threat-analysis-group/italian-spyware-vendor-targets-users-in-italy-and-kazakhstan/



Copyright © All rights reserved. | Newsphere by AF themes.