Google is warning victims in Kazakhstan & Italy that they are being targeted by Hermit, a sophisticated modular spyware from Italian vendor RCS Labs that not only can steal data but also record & make calls.
Researchers from Google Threat Analysis Group (TAG) revealed details in a blog post Thur. by TAG researchers Benoit Sevens & Clement Lecigne about campaigns that send a unique link to targets to fake apps impersonating legitimate ones to try to get them to download G install the spyware.
None of the fake apps were found on either Apple’s or Google’s respective mobile app stores, however, they stated.
TAG is attributing the capabilities to notorious surveillance software vendor RCS Labs, which previously was linked to spyware activity employed by an agent of the Kazakhstan Govt. against domestic targets, & identified by Lookout research
“We are detailing capabilities we attribute to RCS Labs, an Italian vendor that uses a combination of tactics, including atypical drive-by downloads as initial infection vectors, to target mobile users on both iOS & Android,” a Google TAG spokesperson wrote in an email.
All campaigns that TAG observed originated with a unique link sent to the target, that then tries to tempt users into downloading Hermit spyware in one of 2 ways, researchers wrote in the post. When clicked, victims are redirected to a web page for downloading & installing a surveillance app on either Android or iOS.
“The page, in Italian, asks the user to install one of these applications in order to recover their account,” with WhatsApp download links specifically pointing to attacker-controlled content for Android or iOS users, researchers wrote.
One lure used by threat players is to work with the target’s ISP to disable his or her mobile data connectivity, & then pretend to be a carrier application sent in a link to try to get the target to install a malicious app to recover connectivity, they explained.
Researchers outlined in a separate blog post by Ian Beer of Google Project Zero a case in which they discovered what appeared to be an iOS app from Vodafone, but which in fact is a fake app. Attackers are sending a link to this malicious app by SMS to try to fool targets into downloading the Hermit spyware.
“The SMS claims that in order to restore mobile data connectivity, the target must install the carrier app & includes a link to download & install this fake app,” Beer wrote.
Indeed, this is likely the reason most of the applications they observed in the Hermit campaign masqueraded as mobile carrier applications, Google TAG researchers wrote.
In other cases when they cannot work directly with ISPs, threat players use apps appearing to be messaging applications to hide Hermit, according to Google TAG, confirming what Lookout previously discovered in its research.
iOS Campaign Revealed
While Lookout previously shared details of how Hermit targeting Android devices works, Google TAG revealed details of how the spyware functions on iPhones.
They also released details of the host of vulnerabilities – 2 of which were zero-day bugs when they were initially identified by Google Project Zero—that attackers exploit in their campaign. Beer’s post is a technical analysis of one of the bugs: CVE-2021-30983 internally referred to as Clicked3 & fixed by Apple in December 2021.
To distribute the iOS application, attackers simply followed Apple instructions on how to distribute proprietary in-house apps to Apple devices & used the itms-services protocol with a manifest file with com.ios.Carrier as the identifier, researchers outlined.
The resulting app is signed with a certificate from a company named 3-1 Mobile SRL that was enrolled in the Apple Developer Enterprise Program, thus legitimising the certificate on iOS devices, they outlined.
The iOS app itself is broken up into many parts, researchers suggested, including a generic privilege escalation ‘exploit wrapper’ which is used by 6 different exploits for previously identified bugs. In addition to Clieked3, the other bugs exploited are:
- CVE-2018-4344 internally referred to & publicly known as LightSpeed;
- CVE-2019-8605 internally referred to as SockPort2 & publicly known as SockPuppet;
- CVE-2020-3837 internally referred to & publicly known as TimeWaste;
- CVE-2020-9907 internally referred to as AveCesare; &
- CVE-2021-30883 internally referred to as Clicked2, marked as being exploited in-the-wild by Apple in Oct. 2021.
All exploits used pre 2021 are based on public exploits written by different jailbreaking communities, researchers added.
The emergence of Hermit spyware shows how threat players, who often work as state-sponsored entities, are moving to using new surveillance technologies & tactics following the issues over repressive regimes’ use of Israel-based NSO Group’s Pegasus spyware in cyber-attacks against dissidents, activists & NGOs, as well as the murders of journalists.
While use of spyware like Hermit may be legal under national or international laws, “they are often found to be used by govts. for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers & opposition party politicians,” Google TAG researchers wrote.
The US blacklisted NSO Group over this activity, which drew international attention. It apparently has not stopped the proliferation of spyware for nefarious purposes in the least, according to Google TAG.
The commercial spyware industry continues to thrive & grow at a significant rate, which “should be concerning to all Internet users,” researchers wrote.
“These vendors are enabling the proliferation of dangerous hacking tools and arming govts. that would not be able to develop these capabilities in-house,” they concluded.