Google Notifies Android Users Victims of State-Level Hermit Spyware

- Advertisement -


Security researchers at Lookout recently bundled previously unknown Android mobile spyware, named Hermit, to the Italian software company RCS Lab. Now, Google threat researchers have confirmed most of Lookout’s findings and are notifying Android users whose devices have been compromised by spyware.

- Advertisement -

Hermit is commercial spyware known to be used by governments in Kazakhstan and Italy, according to Lookout and Google. Lookout reports that they have also seen spyware installed in northern Syria. Spyware uses various modules, which it downloads from its command and control servers as needed, to collect call logs, record ambient sound, redirect phone calls, and collect photos, messages, emails, and exact device location from the victim’s device. Lookout said in your analysis that Hermit, which runs on all versions of Android, also tries to root the infected Android device, giving spyware even deeper access to the victim’s data.

- Advertisement -

Lookout said targeted victims are sent a malicious link in a text message and are tricked into downloading and installing a malicious app that masquerades as a legitimate branded telco or messaging app from outside the app store.

According to new blog post Published Thursday and provided to TechCrunch ahead of its release, Google said it found evidence that in some cases government actors controlling spyware worked with the target’s ISP to disable their mobile data, likely as a bait to scam goal. downloading a telecommunications application under the guise of restoring communications.

- Advertisement -

Google also analyzed a Hermit spyware sample targeting iPhones that Lookout had previously been unable to obtain. According to Google’s findings, the Hermit iOS app, which abuses Apple’s enterprise developer certificates to allow spyware to be downloaded to a victim’s device from outside the app store, contains six different exploits, two of which were previously unknown vulnerabilities. – or zero days – at the time of their discovery. One of zero day vulnerabilities was known to Apple as actively exploited before it was fixed.

Neither Android nor iOS versions of Hermit spyware have been found in app stores, according to both companies. Google said it has “notified Android users of infected devices” and updated Google Play Protect, Android’s built-in app security scanner, to block the app from running. Google said it also disabled the spyware’s Firebase account, which the spyware used to communicate with its servers.

Google did not say how many Android users were notified.

Apple spokesman Trevor Kincaid told TechCrunch that Apple has revoked all known accounts and certificates associated with the spy campaign.

Hermit is the latest state-level spyware known to be used by government agencies. While it is not known who was targeted by the government using Hermit, similar mobile spyware developed by hacker hire companies such as NSO Group and Candiru has been linked to surveillance journalists, activists and human rights activists.

When contacted by RCS Lab for comment, it provided an unauthorized statement that read, in part: “RCS Lab exports its products in accordance with both national and European rules and regulations. Any sale or sale of products is carried out only after obtaining official permission from the competent authorities. Our products are delivered and installed in the premises of trusted customers. RCS Lab personnel are not exposed to or involved in any activities hosted by their respective clients.”


You can reach this reporter on Signal and WhatsApp at +1 646-755-8849 or email [email protected]


Credit: techcrunch.com /

- Advertisement -

Stay on top - Get the daily news in your inbox

DMCA / Correction Notice

Recent Articles

Related Stories

Stay on top - Get the daily news in your inbox