Google sounds the alarm over Hermit, a spyware targeting Android and iOS devices

Google has issued a stern warning to users of Android and iOS mobile devices over the massive release of a strain of Hermit spyware.

According to researchers Benoît Sevens and Clément Lecigne, from the threat analysis group (TAG) of the American giant, a variant of this iOS and Android spyware is currently in circulation. It targets devices used by employees of large companies and administrations. Victims have been located in Italy and Kazakhstan.

Save, call or retrieve data

Called Hermit, this spyware was designed for modular surveillance. After analyzing 16 out of 25 known modules, cybersecurity researchers at Lookout explained that the malware takes root in infected devices to record audio content, redirect or make phone calls, or steal private data (SMS , call logs, contact lists, photos or GPS location data).

According to cybersecurity firm Lookout, strains of the virus are not found in official Google or Apple app repositories, but in spyware-laden apps downloaded from third-party hosts.

The Android sample identified by the cybersecurity company asked the victim to download an .APK file after allowing the installation of mobile apps from unknown sources. The malware was then disguised as a Samsung app and used Firebase as part of its command and control (C2) infrastructure. “Although the APK itself does not contain exploits, the code hints at the presence of exploits that could be downloaded and applied,” the Lookout researchers explained.

Also present on iOS

Google teams have for their part highlighted a sample of this virus on an iOS device. This sample, signed with a certificate obtained through the Apple Developer Enterprise Program, contains an elevation of privilege exploit that could be allowed by six vulnerabilities.

While four of them (CVE-2018-4344, CVE-2019-8605, CVE-2020-3837, CVE-2020-9907) were known, two others – CVE-2021-30883 and CVE-2021-30983 – are suspected of having been exploited as zero-day flaws before Apple fixed them in December 2021. The apple brand has since revoked the certificates associated with the Hermit campaign.

Google and Lookout say the espionage is likely attributable to RCS Lab, an Italian company that has been in business since 1993. RCS Lab defended itself by telling TechCrunch that it “exports its products in compliance with national rules and regulations and European”, and that “any sale or implementation of products is carried out only after having received an official authorization from the competent authorities”.

Spyware outbreak

Hermit’s circulation only shines a light on a larger problem: the burgeoning industry of spyware and digital surveillance.

Last week, Google officials testified at the EU parliamentary inquiry hearing into the use of Pegasus and other commercial-grade spyware.

According to the teams of the American giant, more than 30 suppliers currently offer exploits or spyware to entities supported by governments. For Charley Snyder, head of cybersecurity policy at Google, although their use may be legal, “we often see that they are used by governments for purposes contrary to democratic values: to target dissidents, journalists, defenders human rights and politicians”.


Leave a Comment