Lookout, a cloud-based security company, has recently discovered a new spyware called “Hermit” that is capable of affecting both Android and iOS devices. According to a recent report by TechCrunch, the company’s security researchers have detailed that an Android version of the spyware was used in “targeted attacks by national governments with victims in Kazakhstan, Syria and Italy.” Now, Google’s researchers have also confirmed the findings of Lookout and have started notifying Android users about the devices that have already been compromised by the spyware.
What is the Hermit spyware
According to the report, Google and Lookout have confirmed that Hermit is a commercial spyware that is known to be used by governments with victims in Kazakhstan, Italy and northern Syria. Lookout has also mentioned that the spyware was first detected in Kazakhstan in April after the government violently suppressed protests against government policies. Moreover, the spyware is also speculated to be deployed in the northeastern Kurdish region of Syria and by Italian authorities as part of an anti-corruption investigation. The report also mentions that Lookout has accused and linked the spyware to RCS Lab, while the Italian software company has denied accountability.
How is the spyware distributed
As per the report, this nasty Android app is distributed by text message which looks like coming from a legitimate source. The malware can impersonate other apps that are developed by telecom companies and manufacturers like Samsung and Oppo which tricks the victim to download the malware, suggests the report.
How does it affect Android and iOS devices
The report also mentions that Lookout got hold of a sample of the Hermit Android malware which is said to be modular as it allows the spyware to download additional components that the malware requires. Like any other spyware, this one also uses different modules to collect call logs, photos, messages, emails along with recording audio, redirecting phone calls and even exposing the device’s exact location.
Moreover, Lookout has also warned that the spyware can root phones by controlling files from the command and control server required to break the device’s protections and allow unhindered access without user interaction. Paul Shunk, a Lookout researcher mentioned that the malware can run on all Android versions and “stands out from other app-based spyware.”
Meanwhile, Google has also analysed a sample of the Hermit spyware targeting iPhones. According to the tech giant, the Hermit iOS app corrupts Apple enterprise developer certificates and allows the spyware to be sideloaded on a victim’s device from outside the app store. The iOS app also packs six different exploits out of which two are zero-day vulnerabilities.
How Google and Apple are reacting to the spyware
The report mentioned that neither the Android nor the iOS versions of the Hermit spyware were found in the respective app stores. Apart from notifying the affected Android users, Google has also updated its Play Protect (the built-in app security scanner in Android) to block the app from running, says the report. Moreover, the company has also killed the spyware’s Firebase account, which was used to communicate with its servers. However, Google didn’t mention the number of affected Android users that the company has notified.
Meanwhile, Apple has also removed all known “accounts and certificates associated with the is spyware campaign”, suggests the report.