Researchers at Lookout Inc. last week detailed a newly discovered form of enterprise-grade Android “surveillanceware” or spyware, dubbed “Hermit” being used by the government of Kazakhstan. It was noted in the report that the software is believed to have been developed by Italian spyware vendor RCS Lab S.p.A.

A week later, researchers at Google LLC’s Threat Analysis Group today provided further details on Hermit and how it works. Notably, they found that Hermit also has an Apple Inc. iOS version.

According to the Google researchers, campaigns originated with a unique link sent to the target. Once it’s clicked, the page attempts to get the user to download and install a malicious application infected with Hermit on either Android or iOS.

It’s believed that in some cases, those using Hermit worked with the target’s internet service provider to disable the target’s mobile data connectivity. Once that’s done, the attacker would send a malicious link via SMS asking the targets to install an application to recover their data connectivity. In most attacks, the application downloaded masqueraded as a mobile carrier application.

As previously detailed by Lookout, Hermit is modular spyware that hides its malicious capabilities in downloaded packages after deployment. The spyware’s modules, along with the core malware’s permissions, enable Hermit to exploit a rooted device, record audio, make and redirect phone calls and collect data such as call logs, contacts, photos, device location and SMS messages.

Where the new Google research becomes even more interesting is with the iOS version. To distribute malicious iOS applications, the attackers followed Apple’s instructions on distributing proprietary in-house apps to Apple devices.

These apps still run inside the iOS app sandbox and are subject to the same technical privacy and security enforcement mechanisms (e.g. code side loading) as any App Store apps,” the researchers explained. “They can, however, be sideloaded on any device and don’t need to be installed via the App Store.”

The Google researchers found that the iOS version of Hermit exploited six known exploits in iOS, most of which have since been patched.

The researchers said the rise of the commercial spyware industry should concern all internet users.

“These vendors are enabling the proliferation of dangerous hacking tools and arming governments that would not be able to develop these capabilities in-house,” they concluded. “While use of surveillance technologies may be legal under national or international laws, they are often found to be used by governments for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers and opposition party politicians.”

Photo: Kim Seng/Flickr