Google Says ISPs Helped Attackers Infect Targeted Smartphones With Hermit Spyware


A week after it became known that a sophisticated mobile spyware called Hermit was being used by the government of Kazakhstan within its borders, Google said it had notified Android users of infected devices.

In addition, the necessary changes have been made in Google Play Protect – Android’s built-in malware defense service – to protect all users, Benoit Sevens and Clement Lecigne of Google Threat Analysis Group (TAG) said in a Thursday message.

Hermit, the work of an Italian vendor called RCS Lab, was documented by Lookout last week, citing its modular feature set and its capabilities to collect sensitive information such as call logs, contacts, photos, precise location, and text messages.

Once the threat has insinuated itself thoroughly into a device, it is also equipped to record audio and make and redirect phone calls, in addition to abusing Accessibility services permissions to block the foreground apps used by victims in the to keep an eye on.

Its modularity also makes it possible to make it fully customizable, extending or modifying the functionality of the spyware at will. It’s not immediately clear who was the target of the campaign, or which of the RCS Lab customers were involved.

The Milan-based company, operating since 1993, claims to “provide law enforcement agencies worldwide with advanced technology solutions and technical support in the field of lawful interception for more than two decades.” More than 10,000 intercepted targets are said to be handled daily in Europe alone.

“Hermit is yet another example of a digital weapon being used to attack civilians and their mobile devices, and the data collected by the attackers involved will certainly be invaluable,” said Richard Melick, director of threat reporting for Zimperium.

The targets infected their phones with the spy tool via drive-by downloads as initial infection vectors, which in turn involves sending a unique link in a text message that, when clicked, activates the attack chain.

It is suspected that the actors collaborated with the targets’ internet service providers (ISPs) to disable their mobile data connection, followed by sending a text message urging the recipients to install an application to restore mobile data access.

“We think this is why most applications masquerade as mobile carrier applications,” the researchers said. “If ISP involvement is not possible, applications are disguised as messaging applications.”

To put iOS users at risk, the adversary would have relied on provisioning profiles that allow fake carrier-branded apps to be sideloaded onto the devices without needing to be available in the App Store.

An analysis of the iOS version of the app shows that it uses as many as six exploits: CVE-2018-4344CVE-2019-8605CVE-2020-3837CVE-2020-9907CVE-2021-30883 and CVE-2021-30983 — to exfiltrate interesting files, such as WhatsApp databases, from the device.

“As the curve slowly shifts towards memory corruption exploitation becoming more expensive, attackers are likely to shift as well,” said Ian Beer of Google Project Zero. said in an in-depth analysis of an iOS artifact masquerading as the My Vodafone carrier app.

On Android, the drive-by attacks require victims to enable a setting to install third-party applications from unknown sources, leading to the rogue app, masquerading as smartphone brands like Samsung, asking for extended permissions for its malicious targets reach.

The Android variant not only attempts to root the device for deep-rooted access, but it is also wired differently in the sense that instead of bundling exploits in the APK file, it includes functionality that allows it to fetch and run arbitrary third-party components that can communicate with the main app.

“This campaign is a good reminder that attackers don’t always use exploits to get the necessary permissions,” the researchers noted. “Basic infection vectors and drive-by downloads still work and can be very efficient with the help of local ISPs.”

The tech giant said seven of the nine zero-day exploits it discovered in 2021 were developed by commercial providers and sold to and used by government-backed actors. exploits and surveillance capabilities.

In addition, Google TAG expressed concern that vendors like RCS Lab are “secretly building zero-day vulnerabilities” and warned that this poses serious risks as a number of spyware vendors have been compromised over the past decade, “raising the specter that their stocks may be made public without warning.”

“Our findings underscore the extent to which commercial surveillance vendors have extensive capabilities that have historically been used only by governments with the technical expertise to develop and operationalize exploits,” said TAG.

“While the use of surveillance technologies may be legal under national or international laws, they often appear to be used by governments for purposes contrary to democratic values: targeting dissidents, journalists, human rights workers and politicians from opposition parties.”