UPDATED 19:57 EST / JUNE 23 2022

SECURITY

Google researchers find iOS version of Italian ‘Hermit’ spyware

Researchers at Lookout Inc. last week detailed a newly discovered form of enterprise-grade Android “surveillanceware” or spyware, dubbed “Hermit” being used by the government of Kazakhstan. It was noted in the report that the software is believed to have been developed by Italian spyware vendor RCS Lab S.p.A.

A week later, researchers at Google LLC’s Threat Analysis Group today provided further details on Hermit and how it works. Notably, they found that Hermit also has an Apple Inc. iOS version.

According to the Google researchers, campaigns originated with a unique link sent to the target. Once it’s clicked, the page attempts to get the user to download and install a malicious application infected with Hermit on either Android or iOS.

It’s believed that in some cases, those using Hermit worked with the target’s internet service provider to disable the target’s mobile data connectivity. Once that’s done, the attacker would send a malicious link via SMS asking the targets to install an application to recover their data connectivity. In most attacks, the application downloaded masqueraded as a mobile carrier application.

As previously detailed by Lookout, Hermit is modular spyware that hides its malicious capabilities in downloaded packages after deployment. The spyware’s modules, along with the core malware’s permissions, enable Hermit to exploit a rooted device, record audio, make and redirect phone calls and collect data such as call logs, contacts, photos, device location and SMS messages.

Where the new Google research becomes even more interesting is with the iOS version. To distribute malicious iOS applications, the attackers followed Apple’s instructions on distributing proprietary in-house apps to Apple devices.

These apps still run inside the iOS app sandbox and are subject to the same technical privacy and security enforcement mechanisms (e.g. code side loading) as any App Store apps,” the researchers explained. “They can, however, be sideloaded on any device and don’t need to be installed via the App Store.”

The Google researchers found that the iOS version of Hermit exploited six known exploits in iOS, most of which have since been patched.

The researchers said the rise of the commercial spyware industry should concern all internet users.

“These vendors are enabling the proliferation of dangerous hacking tools and arming governments that would not be able to develop these capabilities in-house,” they concluded. “While use of surveillance technologies may be legal under national or international laws, they are often found to be used by governments for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers and opposition party politicians.”

Photo: Kim Seng/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.