Google raises the alarm on Hermit, a spyware that targets Android and iOS devices


Google raises the alarm on Hermit, a spyware that targets Android and iOS devices

Google has just issued a stern warning to users of Android and iOS mobile devices about the massive distribution of a strain of Hermit spyware.

According to researchers Benoît Sevens and Clément Lecigne, of the American giant’s threat analysis group (TAG), a variant of this spyware is currently in circulation, iOS and Android. It is aimed at devices used by employees of large companies and administrations. The victims were located in Italy and Kazakhstan.

Save, call or retrieve data

Called Hermit, this spyware was designed for modular surveillance. After analyzing 16 of the 25 known modules, Lookout cybersecurity researchers explained that the malware takes root in infected devices to record audio content, redirect or make phone calls, or steal private data (SMS, call logs, directories). of contacts, photos or GPS location data).

According to cybersecurity firm Lookout, the virus strains are not found in official Google or Apple app repositories, but in spyware-laden apps downloaded from third-party hosts.

The Android sample spotted by the cybersecurity company asked the victim to download an .APK file after allowing mobile apps to be installed from unknown sources. The malware was then disguised as a Samsung app and used Firebase as part of its command and control (C2) infrastructure. “While the APK itself does not contain exploits, the code suggests the presence of exploits that could be downloaded and executed,” the Lookout researchers explained.

Also present on iOS

The Google teams for their part have highlighted a sample of this virus on an iOS device. This sample, signed with a certificate obtained through the Apple Developer Enterprise Program, contained an elevation-of-privilege exploit that could be activated by six vulnerabilities.

While four of them (CVE-2018-4344, CVE-2019-8605, CVE-2020-3837, CVE-2020-9907) were known, two more – CVE-2021-30883 and CVE-2021-30983 – are suspected of having been exploited as zero-day defects before Apple fixed them in December 2021. The Apple brand has since revoked the certificates associated with the Hermit campaign.

Google and Lookout state that the spyware is most likely attributable to RCS Lab, an Italian company in business since 1993. RCS Lab defended itself by telling TechCrunch that it “exports its products in compliance with national and European rules and regulations”, and that ” any sale or production of products is carried out only after receiving official authorization from the competent authorities “.

Spyware outbreak

Hermit’s circulation only sheds light on a bigger problem: the burgeoning spyware and digital surveillance industry.

Last week, Google officials provided evidence at the hearing of the EU Parliamentary Inquiry Committee into the use of Pegasus and other commercial-grade spyware.

According to the American giant’s teams, more than 30 vendors currently offer exploits or spyware to government-supported entities. According to Charley Snyder, head of Google’s cybersecurity policy, although their use may be legal, “it is often seen that they are used by governments for purposes contrary to democratic values: targeting dissidents, journalists, human rights defenders and politicians. “.



Leave a Comment