After pegasusarrives Hermit. Google, in collaboration with the firm specializing in cybersecurity Lookout Threat Labhas recently published its research in which it is determined that several governments would be using spyware aimed at stealing private information from European users.
The spywareapparently developed by the Italian company RCS LabI would be using a combination of different tactics with the aim of attacking both iOS and Android users. According to investigations, victims have been identified in Italy and Kazakhstan.
This is how Hermit works, the spyware that infects more than 10,000 people every day
like Pegasus, Hermit seems to be a spyware Mainly used by intelligence agencies and governments, including those of Italy and Kazakhstan. The investigations carried out by Google and Lookout determine that the aforementioned organizations would have used Hermit to access contacts and private messages stored on the devices of its citizens.
However, the malware’s capabilities go much further: it can get data from browser history, files saved on device storage or even review chat history of messaging applications and social networks.
Google explains that, to infect the devices of its victims, Hermit uses a combination of techniques. In all campaigns discovered with this spyware as the protagonist, it was possible to observe how the attack originated with a single link sent to the user’s device. When he agreed, he was urged to download and install the malicious app.
In this sense, it is believed that attacking actors collaborated with internet service providers to deactivate the users mobile data connection, and later they were sent a text message asking them to access a URL and download the infected app with Hermit in order to recover connectivity.
For that reason, most of the applications in which the Hermit code has been discovered they pretended to be mobile operator apps. It has also been possible to find spyware posing as instant messaging applications. Using these techniques, it would be possible to infect nearly 10,000 targets every day, in Europe alone.
To infect Android device users, the user was asked to activate the installation of applications coming from unknown sources. Later, with the app already installed, it obtained access to a large number of permissionsmany of them especially sensitive.
In the case of iOS, things change. Since Apple prevents the installation of apps from sources outside the App Store, it has been determined that Hermit uses the tool of distribution of own applications on Apple devicesaimed at companies and professionalssomething possible thanks to the fact that the company called 3-1 Mobile SRL, after which RCS Lab was located, was within the Apple Developer Enterprise Program and had the necessary permits to be able to take advantage of this distribution channel.
On the part of Google, they have reinforced the protection measures of Google Play Protect and the Firebase projects used by this campaign have been disabled. Furthermore, all the users of Android devices infected by Hermit. Apple, for now, has not commented on the matter.
Related topics: Android
Follow Andro4all to find out about all the mobile news