Google has spotted a dangerous new breed of malware making the rounds online, but the tool ID’d by security firm Lookout as “Hermit” isn’t your average money-making scheme. According to Google’s Threat Analysis Group (TAG), this spyware was developed by an Italian company called RCS Labs. The firm claims to be on the right side of the law, but that doesn’t change the fact its software is being used to breach user privacy.
RCS Labs is one of numerous “lawful intercept” businesses, which work with governments and law enforcement to collect data from targets. Often, that means developing powerful surveillance tools with the help of undocumented security vulnerabilities. For example, NSO Group used its Pegasus malware to spy on activists and journalists. Essentially, they build and deploy malware at the behest of a government authority. While this might be legal under the right circumstances, the actions of these companies have come under increasing scrutiny from groups like Lookout and Google’s TAG.
In the case of Hermit, it appears to have spread in Italy and Kazahkstan. In some cases, the bad actors were able to infect their targets with the help of local internet service providers. The ISP would cut a device’s mobile connection, and then send the target a message with a link to restore their connection. However, the link was actually loading the Hermit spyware onto the device. When there wasn’t a compliant ISP, RCS Labs allegedly disguised the malware as a legitimate messaging app like WhatsApp and used social engineering to get the target to install it.
The malware was never hosted in the Google Play Store or Apple App Store, but that didn’t stop people from installing it. On Android phones, the malware needs to be sideloaded with unknown sources enabled. On iOS, the malware creators used a valid certificate for the Apple Developer Enterprise Program, which is used to distribute in-house apps. That allowed users to install the app directly outside of the App Store. Once installed, the app leveraged a raft of exploits to escalate privileges and download new function modules to take over a device, copy data, and monitor the user’s location.
Apple has revoked the developer certificates used in Hermit, and Google has rolled out an update to Play Protect to remove the malware. RCS Labs has been silent on the issue, which makes sense. It has a history of shady connections to military intelligence agencies in countries like Myanmar, Turkmenistan, Syria, and Pakistan, and the intelligence community is all about “no comment.”
Google says the growth in commercial spyware should concern everyone. With online surveillance more common than ever, you might find yourself swept up in a sophisticated malware operation in the future.