Google documents new threat : mobile spyware Hermit is fully customizable
27. Juni 2022Google documents new threat : mobile spyware Hermit is fully customizable
San Francisco, 6/27/2022
A week after it was revealed that the Kazakh government had deployed a sophisticated mobile spyware called „Hermit“ within its borders, Google informed all Android users , if their device was infected.
Lookout managed to document Hermit last week. This is a product of the Milan, Italy-based company RCS Lab. The strongest interest was in the capabilities made possible by its modular features:
https://thehackernews.com/2022/06/researchers-uncover-hermit-android.html
If Hermit managed to sneak into a device, it could record audio data, make and redirect phone calls. But the kicker is: thanks to its modularity, Hermit can fully adapt to the device environment.
Who is using this spyware? RCS Lab says it’s law enforcement agencies that are active in lawful surveillance around the world with cutting-edge technological solutions and technical support. Allegedly, more than 10,000 intercepted targets are processed every day in Europe alone.
Critics see it differently. They believe this digital weapon is being used to target civilians and their mobile devices. The data collected with Hermit would likely be invaluable.
Two other data theft tricks should be noted:
– Phones of targeted individuals are infected with the spy tool via drive-by downloads, which in turn results in the sending of a unique link in an SMS message that, once clicked, sets the attack chain in motion.
– it is also suspected that the actors worked with the targets‘ Internet service providers (ISPs) to disable their mobile data connection and then send an SMS asking recipients to install an application to restore mobile data access. Indeed, that would explain why many applications disguised themselves as mobile carrier applications.But even without an ISP’s involvement, there is still a way: disguise the applications as messaging applications.
To compromise iOS users, the attackers would have resorted to provisioning profiles. After that, it is possible to load fake mobile carrier-branded apps onto the devices without them having to be available in the App Store. Apple has revoked all known accounts and certificates associated with Hermit following this revelation.
