Researchers at the Google Threat Analysis Group (GTAG) conducted a study that revealed an elaborate hacking campaign in which ISPs helped hackers distribute Hermit spyware. Google’s work confirms the findings of an earlier study by cybersecurity expert Lookout, which linked Hermit spyware to Italian developer RCS Labs.
According to Lookout, RCS Labs develops spyware that it sells to government agencies around the world. Experts have identified indications that the Hermit tool has already been used by the government of Kazakhstan, as well as the Italian authorities. This was confirmed by Google experts who managed to identify and inform victims of surveillance in both mentioned countries.
The Lookout report states that Hermit is a dangerous tool that can load additional modules on demand to expand its capabilities. The software can be used to gain access to call recordings, device location, photos and videos, text messages and other information stored on victim’s device. Hermit can also record and intercept calls, as well as gain superuser privileges on the device, giving full control over the operating system.
It is noted that Hermit software can be used to launch attacks against users of Android and iOS based devices. It usually disguises itself as a legitimate mobile operator or messenger application. Google experts noted that in some cases the attackers worked with local providers that blocked internet connection for the victims, which is necessary for the implementation of the malware injection scheme on devices. After the internet was shut down, attackers disguised as providers contacted victims and persuaded them to install a supposedly legitimate application that would help them get back online.
According to GTAG and Lookout, Hermit software has never been distributed through official digital content sources such as Google Play Store and Apple App Store. However, the attackers managed to spread malware for iOS by participating in the Apple Developer Enterprise Program. Participation in the said program allowed us to bypass the standard process of considering applications in the App Store and receive a certificate of compliance with the site’s requirements. At the moment Apple has already suspended certificates and accounts connected to Hermit.