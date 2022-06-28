



Google has discovered a dangerous new type of malware that makes rounds online, but the tool ID that security firm Lookout has designated as “Hermit” is not an average money-making scheme. According to Google’s Threat Analysis Group (TAG), this spyware was developed by an Italian company called RCS Labs. The company claims to be on the right side of the law, but that doesn’t change the fact that the software is being used to invade the privacy of its users.

RCS Labs is one of many “lawful intercept” businesses that work with governments and law enforcement agencies to collect data from targets. In many cases, this means developing powerful monitoring tools that exploit undocumented security vulnerabilities. For example, NSO Group used Pegasus malware to spy on activists and journalists. Basically, they build and deploy malware at the request of government authorities. While this may be legal under the right circumstances, the behavior of these companies is being increasingly scrutinized by groups such as Lookout and Google’s TAG.

In the case of hermits, it seems to have spread to Italy and Kazakhstan. In some cases, a malicious person could infect the target with the help of a local internet service provider. The ISP disconnects the device’s mobile connection and sends a message to the target containing a link to restore the connection. However, the link was actually loading Hermit spyware on the device. In the absence of a compliant ISP, RCS Labs allegedly disguised the malware as a legitimate messaging app like WhatsApp and used social engineering to install it on the target.

The malware was never hosted on the Google Play Store or Apple App Store, but it still couldn’t stop people from installing the malware. On Android smartphones, you need to enable unknown sources to sideload the malware. On iOS, the malware author used a valid certificate from the Apple Developer Enterprise Program used to distribute in-house apps. This allowed users to install the app directly outside the App Store. Once installed, the app leverages many exploits to elevate privileges, download new function modules, hijack devices, copy data, and monitor user locations.

Apple has revoked the developer certificate used by Hermit, and Google has released a PlayProtect update to remove the malware. RCS Labs is silent on this issue, which makes sense. It has a history of shadowy connections with military intelligence agencies in countries such as Myanmar, Turkmenistan, Syria and Pakistan, all of which are “no comment”.

Google says the growth of commercial spyware should be relevant to everyone. Online monitoring is more common than ever, and you may be involved in advanced malware operations in the future.

