Google Claims ISPs Helped Attackers Infect Targeted Smartphones With Hermit Spyware


A week after it emerged that sophisticated mobile spyware called Hermit was being used by the Kazakhstan government inside its borders, Google said it notified Android users of the infected devices.

Additionally, necessary changes have been implemented in Google Play Protect – Android’s built-in malware defense service – to protect all users, said Benoit Sevens and Clement Lecigne of Google Threat Analysis Group (TAG) in a report released Thursday.

Hermit, the work of an Italian vendor named RCS Lab, was documented by Lookout last week calling its modular feature set and abilities to collect sensitive information such as call logs, contacts, photos, precise location and SMS messages.

Once the threat has fully insinuated itself into a device, it is also equipped to record audio and make and redirect phone calls, in addition to abusing its Accessibility Services permissions to keep tabs on the leading applications used by the victims.

Its modularity also allows it to be fully customizable, equipping the functionalities of the spy software to be extended or modified at will. It was not immediately clear who was targeted in the campaign, or which RCS Lab clients were involved.

The Milan-based company, operating since 1993, claims to have been providing “law enforcement agencies around the world with state-of-the-art technological solutions and technical support in the field of lawful interception for over twenty years”. More than 10,000 intercepted targets are said to be handled daily in Europe alone.

“Hermit is another example of a digital weapon being used to target civilians and their mobile devices, and the data collected by the malicious parties involved will certainly be invaluable,” said Richard Melick, Director of Threat Reporting for Zimperium.

Targets see their phones infected with the spy tool via drive-through downloads as the initial infection vectors, which, in turn, involves sending a unique link in an SMS message which, upon clicking, activates the attack chain.

It is suspected that the actors worked in conjunction with the targets’ Internet Service Providers (ISPs) to disable their mobile data connectivity, followed by sending an SMS urging recipients to install an app to restore access to the mobile data.

“We believe this is why most apps have impersonated mobile operator apps,” the researchers said. “When ISP involvement is not possible, apps are disguised as messaging apps.”

To compromise iOS users, the adversary relied on provisioning profiles that allow fake carrier-branded apps to be downloaded onto devices without the need for them to be available on the App Store .


An analysis of the app’s iOS version shows it exploits up to six exploits – CVE-2018-4344, CVE-2019-8605, CVE-2020-3837, CVE-2020-9907, CVE-2021-30883 and CVE-2021-30983 — to exfiltrate files of interest, such as the WhatsApp database, from the device.

“As the curve slowly shifts towards exploiting memory corruption that becomes more expensive, attackers are likely shifting too,” said Google Project Zero’s Ian Beer in an in-depth analysis of an iOS artifact that mimicked the app. of the operator My Vodafone.

cyber security

On Android, drive-by attacks require victims to enable a setting to install third-party apps from unknown sources, which results in the malicious app, impersonating smartphone brands like Samsung, asking for extended permissions to achieve its malicious goals.

The Android variant, in addition to attempting to root the device for rooted access, is also wired differently in that instead of bundling exploits into the APK file, it contains a feature that allows it to fetch and run arbitrary remote components that can communicate with the main application.

“This campaign is a good reminder that attackers don’t always use exploits to get the permissions they need,” the researchers noted. “Basic infection vectors and download driving still work and can be very effective with the help of local ISPs.”

Stating that seven of the nine zero-day exploits it discovered in 2021 were developed by commercial vendors and sold and used by government-backed actors, the tech giant said it was tracking more than 30 vendors. with varying levels of sophistication that are known to trade exploits and surveillance capabilities.

Additionally, Google TAG raised concerns that vendors like RCS Lab “covertly store zero-day vulnerabilities” and warned that this poses serious risks given that a number of vendors Spyware has been compromised for the past ten years, “raising the specter that their stocks may be made public without warning.”

“Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically used only by governments with the technical expertise to develop and operationalize exploits,” TAG said.

“Although the use of surveillance technologies may be legal under national or international laws, it is often seen that they are used by governments for purposes contrary to democratic values: targeting dissidents, journalists, defenders of human rights and opposition party politicians.”


Comments are closed.