Google warns internet service providers helped distribute Hermit spyware

by mcdix

Google warns of a sophisticated new spyware campaign in which attackers steal sensitive data from Android and iOS users in Italy and Kazakhstan. On Thursday, the company’s Threat Analysis Group (TAG) shared its findings about RCS Labs, a commercial spyware vendor based in Italy. On June 16, security researchers at Lookout linked the company to Hermit, a spyware program believed to have been deployed by Italian authorities for the first time in 2019 as part of an anti-corruption operation. Lookout describes RCS Labs as an NSO Group-like entity. The company markets itself as a “lawful interception company” and claims it only cooperates with government agencies. However, commercial spyware vendors have come under intense scrutiny in recent years, largely thanks to governments using the Pegasus spyware to attack activists and journalists.

According to Google, Hermit can infect both Android and iOS devices. In some cases, the company’s researchers saw that attackers were working with their target’s Internet service provider to disable their data connection. They then sent the target a text message asking them to download the associated software to restore their internet connection. If that wasn’t an option, the bad actors tried to disguise the spyware as a legitimate messaging app like WhatsApp or Instagram. Hermit is particularly dangerous because it can gain additional capabilities by downloading modules from a command and control server. Some of the add-ons that Lookout has observed allowed the program to steal data from the target’s calendar and address book apps and take pictures with their phone’s camera. One module even gave the spyware the ability to root an Android device.


Google believes Hermit never made its way into the Play or App stores. However, the company found evidence that malicious parties could spread the spyware on iOS by enrolling in Apple’s Developer Enterprise Program. Apple told The Verge it has since blocked any accounts or certificates associated with the threat. Meanwhile, Google has notified affected users and rolled out an update for Google Play Protect. The company ends its post by saying that the growth of the commercial spyware industry should concern everyone. “These suppliers are spreading dangerous hacking tools and arming governments that could not develop these capabilities in-house,” the company said.

“While surveillance technologies may be legal under national or international laws, they often appear to be used by governments for purposes contrary to democratic values: targeting dissidents, journalists, human rights workers and politicians from opposition parties.” Our editorial team, independent of our parent company, has selected all products Engadget recommends. Some of our stories contain affiliate links. We may earn an affiliate commission if you buy something through one of these links.

You may also like