Screenshot of a site controlled by attackers
Lookout withGoogleIt pointed out that Hermit was confirmed to be commercial spyware with an official background, with victims mainly in Kazakhstan and Italy, but also in northern Syria.
The spyware has various modules to obtain relevant functions from its command and control server (C&C) as needed, such as collecting call logs, recording ambient audio, redirecting calls, and stealing photos, messages, emails on the victim’s device and precise positioning.
Lookout analysis found that Hermit spyware works on all Android versions and attempts to root on infected Android devices.
Malicious links sent by attackers via text messages lure victims into downloading and installing malware from external app stores. Typically, Hermit disguises itself as a major communications brand or messaging app.
In addition, in a blog post on Thursday, Google found evidence that actors behind the scenes teamed up with targeted ISPs to cut mobile data connections. It is speculated that the victim is lured to download the app under the guise of restoring the connection.
Google further analyzed theiPhoneof spyware samples, the investigation found that Hermit’s iOS app abused Apple’s enterprise developer certificate to allow spyware to be loaded from external app stores.
The spyware exploits six different vulnerabilities, two of which are undisclosed zero-days. To make matters worse, Apple knew that one of the 0-Day vulnerabilities had been actively exploited before the fix was complete.
Fortunately, both tech giants said they have not found the Android/iOS version of Hermit spyware in the official app store.
Google has now sent a warning notice to users of infected Android devices and updated the system’s built-in Google Play Protect safety scanner to stop the spyware from running.
In addition, Google shut down the Firebase account used by the spyware to communicate with the server, but did not disclose how many Android devices were affected by the Hermit spyware.
Apple spokesman Trevor Kincaid said the company had revoked all known accounts and credentials associated with the spyware campaign.
It’s unclear exactly what Hermit’s spyware was targeting, but with notorious cases such as NSO Group and Candiru, it’s not hard to speculate.