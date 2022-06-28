



A few days ago, articles about Hermit spyware (including us) seemed intriguing to our readers.

Described in detail by Google’s Threat Analysis Group (TAG), Hermit spyware (called Hermit by security company Lookout and first reported its discovery) is a dangerous and advanced malware that is actually actively used. It’s part of the attack. Attackers use zero-day vulnerabilities (meaning vulnerabilities that have not yet been patched) and other dangerous exploits in Android and iOS code to deploy malware that can control someone’s iOS or Android device. doing.

Most media outlets focused on the “news” part of the story. But as we’ve seen from this Reddit thread, what users really want to know (and of course) is how to protect themselves from this threat, how to know if a device is infected, and infected. Is it there? , How to get rid of spyware.

There is good news and bad news.

attack

The bad news is that, if done properly, this is a very sophisticated attack that can be fooled by almost anyone. One of the tactics attackers adopted for each TAG was to work with the target ISP to disable the target’s mobile data connection, send a malicious link via SMS to regain the connection, and install malware. Is to do.

It’s unclear if the attacker actually involved the ISP in the attack, or if there were insiders who could perform these actions, but the results are very dangerous. My phone lost its mobile data connection and the vendor immediately said, “I know your phone’s data connection isn’t working. There’s a link to fix this.” To do. Unless you are aware of this particular attack, you will probably click without hesitation.

See also: Google warns about “hermit spyware” that infects Android and iOS devices

Another tactic was to send a link to a compelling and malicious version of a popular app such as Facebook or Instagram. This also resulted in the targeted phone being infected.

An example prompt for the target to install a malware app. Credit: Google TAG

On Apple devices, an attacker could exploit a flaw in the company’s protocol to bypass the App Store, but distributed an app that was subject to the same security enforcement mechanism. In other words, these rogue applications could run on iOS devices without the system knowing anything unusual about them. According to TAG’s analysis, one such app contains a security flaw that can be used in six different exploits, allowing interesting files such as WhatsApp databases to be sent from the device to a third party. I did.

The TAG does not provide much information about what happens when the targeted device becomes infected. But there is even worse news. If an attacker has access to the resources to carry out this type of attack, it could deploy malware that is difficult or impossible to detect or remove. And it can be (almost) anything: software that eavesdrops on your phone conversations, reads your messages, accesses your camera, and you name it. Anti-malware software may be able to detect some of them, or at least notify you that something is wrong, but the main thing to do is to prevent the device from getting infected in the first place.

But why did the attack happen?

According to TAG, these attacks and malware are used by RCS Lab, an Italian company that says it works with the government (the tagline is “a technical solution to legitimate enforcement agencies around the world.” Is to provide and provide technical support. “). According to TechCrunch, the company “exports products in compliance with both domestic and European rules and regulations”, “Products are sold or implemented only after official approval from the competent authority. “.

In theory, these types of attacks should be fairly limited to very specific targets such as journalists, activists, and politicians. TAG is only active in Italy and Kazakhstan (Lookout has added Syria to its list). Obviously, this is pretty scary — the government buys spyware from dubious vendors and deploys it to target someone who considers it an enemy — but it’s the world we live in.

The tweet may have been deleted (opens in a new tab)

It’s not just RCS Labs and Hermit. TAG states that it is tracking more than 30 vendors selling “exploits or monitoring capabilities to government-sponsored actors.” These vendors include companies such as Cytrox in North Macedonia and its ALIEN / PREDATOR spyware, and Israel’s NSO Group known for Pegasus spyware.

Fortunately, this type of attack is unlikely to spread to the devices of hundreds of millions of users on a large scale. People using these tools are targeting specific individuals rather than building spambot networks. However, it is still important to know how to protect against such advanced attacks, as you do not know when you will be a “specific individual” on the list of “legal enforcement agencies”.

How do you protect yourself from such malware attacks?

A typical way to get from a security expert is not to install anything from an untrusted party or click a link from a stranger. This is a bit tricky to implement if your ISP is involved in a scam and is sending you a link to “fix” your data connection. The rule of thumb will continue to apply. If something feels sick, double-check it. If you’re not sure if a link or app is legal, don’t click it, even if it’s from Google, Facebook, Apple, your ISP, or even relatives. It also keeps your device’s software up-to-date.

TAG also emphasizes important facts. The malware app used to deploy Hermit wasn’t available in Apple’s App Store or Google’s Play Store (hackers used a variety of tactics to stand by the official store). Installing an app only from the official app store does not provide 100% protection from malware, but this is definitely a good security measure.

Also, according to TAG, Google has taken steps to protect users directly affected by Hermit, such as warning all Android victims and implementing fixes to thwart attacks. I am. Apple has told TechCrunch that it has revoked all known accounts and certificates related to Hermit.

If you want to go one step further, security company Kaspersky has a list of actions you can take to protect yourself from sophisticated spyware. This includes daily reboots, disabling iMessage and FaceTime, and browsing the Internet using alternative browsers. Instead of the popular Chrome and Safari.

Sources 1/ https://Google.com/ 2/ https://mashable.com/article/hermit-spyware-how-to-protect-cybersecurity

