Google Warns ISPs Helped Distribute Hermit Spyware (engadget.com) 15
Google is warning of a sophisticated new spyware campaign that has seen malicious actors steal sensitive data from Android and iOS users in Italy and Kazakhstan. Engadget reports: On Thursday, the company's Threat Analysis Group (TAG) shared its findings on RCS Labs, a commercial spyware vendor based out of Italy. On June 16th, security researchers at Lookout linked the firm to Hermit, a spyware program believed to have been first deployed in 2019 by Italian authorities as part of an anti-corruption operation. Lookout describes RCS Labs as an NSO Group-like entity. The firm markets itself as a "lawful intercept" business and claims it only works with government agencies. However, commercial spyware vendors have come under intense scrutiny in recent years, largely thanks to governments using the Pegasus spyware to target activists and journalists.
According to Google, Hermit can infect both Android and iOS devices. In some instances, the company's researchers observed malicious actors work with their target's internet service provider to disable their data connection. They would then send the target an SMS message with a prompt to download the linked software to restore their internet connection. If that wasn't an option, the bad actors attempted to disguise the spyware as a legitimate messaging app like WhatsApp or Instagram.
What makes Hermit particularly dangerous is that it can gain additional capabilities by downloading modules from a command and control server. Some of the addons Lookout observed allowed the program to steal data from the target's calendar and address book apps, as well as take pictures with their phone's camera. One module even gave the spyware the capability to root an Android device. Google believes Hermit never made its way to the Play or App stores. However, the company found evidence that bad actors were able to distribute the spyware on iOS by enrolling in Apple's Developer Enterprise Program. Apple told The Verge that it has since blocked any accounts or certificates associated with the threat. Meanwhile, Google has notified affected users and rolled out an update to Google Play Protect.
According to Google, Hermit can infect both Android and iOS devices. In some instances, the company's researchers observed malicious actors work with their target's internet service provider to disable their data connection. They would then send the target an SMS message with a prompt to download the linked software to restore their internet connection. If that wasn't an option, the bad actors attempted to disguise the spyware as a legitimate messaging app like WhatsApp or Instagram.
What makes Hermit particularly dangerous is that it can gain additional capabilities by downloading modules from a command and control server. Some of the addons Lookout observed allowed the program to steal data from the target's calendar and address book apps, as well as take pictures with their phone's camera. One module even gave the spyware the capability to root an Android device. Google believes Hermit never made its way to the Play or App stores. However, the company found evidence that bad actors were able to distribute the spyware on iOS by enrolling in Apple's Developer Enterprise Program. Apple told The Verge that it has since blocked any accounts or certificates associated with the threat. Meanwhile, Google has notified affected users and rolled out an update to Google Play Protect.
Meanwhile... (Score:2)
Re: Meanwhile... (Score:4, Funny)
I literally just saw a Chrome commercial advertising how Chrome protects you from malware.
As the crooks they are (Score:1)
Re: (Score:3)
Well, it was a real problem from the start. They probably mined it 'til it was no longer possible to keep it under wraps because others have already noticed it. Just like in the old joke:
Q: Question for great Radio Jerewan: Could the catastrophe of Chernobyl have been prevented?
A: Certainly. But the damn Swedes tattled.
Re: As the crooks they are (Score:2)
Re: (Score:2)
If you have HBO, check out "Chernobyl." 9 out of 10 on the holy f-ing hell meter for me. Great miniseries.
Re: (Score:2)
The punchline of the joke relies on the Soviets basically keeping everything under wraps until a Swedish nuclear reactor reported an alarming level of radioactivity, but they also quickly found out that it ain't from them, and from wind currents they managed to trace it back to the Soviet Union.
Re: (Score:2)
Re: (Score:2)
Look on the bright side, he has a rest of his life. Not everyone from there was that lucky.
International bad actors (Score:2)
Steven and Nicholas are at it again!
https://www.theregister.com/20... [theregister.com]
Hermit (Score:1)
I confuse John Oliver, Oliver Stone, & Sacha C (Score:1)
I'm wondering how Google makes money on this PR virtue-signaling exercise.
Something doesn't smell right. (Score:2)
So, why is Google acting like this is a tool from some criminal gang? I find myself having to question their sincerity.