Igor Bonifacic

Google warns ISPs helped spread Hermit spyware

Google warns of a sophisticated new spyware campaign in which attackers steal sensitive data from Android and iOS users in Italy and Kazakhstan. On Thursday, the company’s Threat Analysis Group (TAG) shared his findings on RCS Labs, a commercial spyware vendor from Italy.

On June 16, security researchers from linked the company to Hermit, a spyware program believed to have been deployed by Italian authorities for the first time in 2019 as part of an anti-corruption operation. Lookout describes RCS Labs as an NSO Group-like entity. The company markets itself as a “lawful interception company” and claims it only works with government agencies. However, commercial spyware vendors have come under intense scrutiny in recent years, thanks in large part to governments using the Pegasus spyware to

According to Google, Hermit can infect both Android and iOS devices. In some cases, the company’s researchers saw that attackers were working with their target’s Internet service provider to disable their data connection. They then sent the target a text message asking them to download the associated software to restore their internet connection. If that wasn’t an option, the bad actors tried to disguise the spyware as a legitimate messaging app like WhatsApp or Instagram.

What makes Hermit particularly dangerous is that it can gain additional capabilities by downloading modules from a command and control server. Some of the add-ons that Lookout has observed allowed the program to steal data from the target’s calendar and address book apps, as well as take pictures with their phone’s camera. One module even gave the spyware the ability to root an Android device.

Google believes Hermit never made its way into the Play or App stores. However, the company found evidence that malicious parties could spread the spyware on iOS by subscribing to Apple’s † Apple told that it has since blocked any accounts or certificates associated with the threat. Meanwhile, Google has notified affected users and rolled out an update for Google Play Protect.

The company ends its post saying that the growth of the commercial spyware industry should concern everyone. “These suppliers are spreading dangerous hacking tools and arming governments that could not develop these capabilities in-house,” the company said. “While the use of surveillance technologies may be legal under national or international laws, they often appear to be used by governments for purposes contrary to democratic values: targeting dissidents, journalists, human rights workers and politicians from opposition parties.”

All products recommended by Engadget have been selected by our editorial team, independent of our parent company. Some of our stories contain affiliate links. If you buy something through one of these links, we may earn an affiliate commission.

Leave a Comment

Your email address will not be published. Required fields are marked *