Google warns internet service providers helped distribute Hermit spyware

Google warns of a sophisticated new spyware campaign in which malicious actors have stolen sensitive data from Android and iOS users in Italy and Kazakhstan. On Thursday, the company’s Threat Analysis Group (TAG) shared its findings on RCS Labs, a commercial spyware vendor based in Italy.

On June 16, Hermit security researchers linked the company to Hermit, a spyware program believed to have been first used by Italian authorities as part of an anti-corruption operation in 2019. Lookout describes RCS Labs as an NSO Group-like entity. The company markets itself as a “legal wiretapping business” and claims to work only with government agencies. However, commercial spyware vendors have come under intense scrutiny in recent years, largely thanks to governments using Pegasus spyware to .

According to Google, Hermit can infect both Android and iOS devices. In some cases, the company’s researchers observed that malicious actors colluded with their target’s ISP to disable their data connection. They would then send the target person an SMS message asking them to download the linked software to restore their internet connection. When that wasn’t an option, the attackers tried to disguise the spyware as a legitimate messaging app like WhatsApp or Instagram.

What makes Hermit particularly dangerous is that it can gain additional abilities by downloading modules from a command and control server. Some of the add-ons observed by Lookout allowed the program to steal data from the target’s calendar and address book apps, as well as capture photos using their phone’s camera. One module even gave the spyware the ability to root an Android device.

Google believes Hermit never made it into the Play or App stores. However, the company found evidence that attackers were able to spread the spyware on iOS by logging in to Apple. Apple tells that it has since blocked any accounts or certificates related to the threat. Google has now notified affected users and rolled out an update for Google Play Protect.

The company concludes by stating that the growth of the commercial spyware industry should affect everyone. “These vendors enable the proliferation of dangerous hacking tools and arm governments that could not develop these skills in-house,” the company said. “While the use of surveillance technologies may be legal under domestic or international law, they are often used by governments for purposes contrary to democratic values: against dissidents, journalists, human rights defenders and opposition party politicians.”