According to research from Google's Threat Analysis Group (TAG), a sophisticated spyware campaign is using internet service providers (ISPs) to trick users into downloading malicious apps (via TechCrunch). This supports earlier research from the security company Lookout, which connected the spyware, known as Hermit, to the Italian spyware maker RCS Labs. Lookout claims that RCS Labs sells commercial spyware to various government agencies and works in the same industry as NSO Group, the notorious surveillance-for-hire business that created the Pegasus spyware.
Hermit, according to researchers at Lookout, has already been used by the governments of Italy and Kazakhstan. According to these findings, Google has identified victims in both nations and says it will inform the users who are impacted. Hermit is a modular threat that can download extra capabilities from a command and control (C2) server, according to the description in Lookout's report. By doing this, the spyware is given access to the call logs, location, pictures, and text messages on the victim's device.
Hermit can also make and receive phone calls, record audio, and root an Android device to gain complete access to the operating system. By posing as a trusted source, usually a mobile carrier or messaging app, the spyware can spread to both Android and iPhone devices. Google discovered that some attackers actually collaborated with ISPs to disable a victim's mobile data in order to further their scheme. The malicious app download would then lead users to believe that their internet connectivity would be restored.
In the event that attackers were unable to cooperate with an ISP, according to Google, they pretended to be genuine-looking messaging apps and tricked users into downloading them. Hermit-containing apps, according to researchers from Lookout and TAG, were never made available through the Google Play or Apple App Stores. However, by signing up for Apple's Developer Enterprise Program, attackers were able to spread infected apps on iOS.