Google is warning victims in Kazakhstan and Italy that they are being targeted by Hermit, a sophisticated and modular spyware from Italian vendor RCS Labs that not only can steal data but also record and make calls.
Researchers from Google Threat Analysis Group (TAG) revealed details in a blog post Thursday by TAG researchers Benoit Sevens and Clement Lecigne about campaigns that send a unique link to targets to fake apps impersonating legitimate ones to try to get them to download and install the spyware. None of the fake apps were found on either Apple’s or Google’s respective mobile app stores, however, they said.
TAG is attributing the capabilities to notorious surveillance software vendor RCS Labs, which previously was linked to spyware activity employed by an agent of the Kazakhstan government against domestic targets, and identified by Lookout research.
“We are detailing capabilities we attribute to RCS Labs, an Italian vendor that uses a combination of tactics, including atypical drive-by downloads as initial infection vectors, to target mobile users on both iOS and Android,” a Google TAG spokesperson wrote in an email to Threatpost sent Thursday afternoon.
All campaigns that TAG observed originated with a unique link sent to the target that then tries to lure users into downloading Hermit spyware in one of two ways, researchers wrote in the post. Once clicked, victims are redirected to a web page for downloading and installing a surveillance app on either Android or iOS.
“The page, in Italian, asks the user to install one of these applications in order to recover their account,” with WhatsApp download links specifically pointing to attacker-controlled content for Android or iOS users, researchers wrote.
Collaborating with ISPs
One lure employed by threat actors is to work with the target’s ISP to disable his or her mobile data connectivity, and then masquerade as a carrier application sent in a link to try to get the target to install a malicious app to recover connectivity, they said.
Researchers outlined in a separate blog post by Ian Beer of Google Project Zero a case in which they discovered what appeared to be an iOS app from Vodafone but which in fact is a fake app. Attackers are sending a link to this malicious app by SMS to try to fool targets into downloading the Hermit spyware.
“The SMS claims that in order to restore mobile data connectivity, the target must install the carrier app and includes a link to download and install this fake app,” Beer wrote.
Indeed, this is likely the reason why most of the applications they observed in the Hermit campaign masqueraded as mobile carrier applications, Google TAG researchers wrote.
In other cases when they can’t work directly with ISPs, threat actors use apps appearing to be messaging applications to hide Hermit, according to Google TAG, confirming what Lookout previously discovered in its research.
iOS Campaign Revealed
While Lookout previously shared details of how Hermit targeting Android devices works, Google TAG revealed specifics of how the spyware functions on iPhones.
They also released details of the host of vulnerabilities—two of which were zero-day bugs when they were initially identified by Google Project Zero—that attackers exploit in their campaign. In fact, Beer’s post is a technical analysis of one of the bugs: CVE-2021-30983 internally referred to as Clicked3 and fixed by Apple in December 2021.
To distribute the iOS application, attackers simply followed Apple instructions on how to distribute proprietary in-house apps to Apple devices and used the itms-services protocol with a manifest file with com.ios.Carrier as the identifier, researchers outlined.
The resulting app is signed with a certificate from a company named 3-1 Mobile SRL that was enrolled in the Apple Developer Enterprise Program, thus legitimizing the certificate on iOS devices, they said.
The iOS app itself is broken up into multiple parts, researchers said, including a generic privilege escalation exploit wrapper which is used by six different exploits for previously identified bugs. In addition to Clieked3, the other bugs exploited are:
- CVE-2018-4344 internally referred to and publicly known as LightSpeed;
- CVE-2019-8605 internally referred to as SockPort2 and publicly known as SockPuppet;
- CVE-2020-3837 internally referred to and publicly known as TimeWaste;
- CVE-2020-9907 internally referred to as AveCesare; and
- CVE-2021-30883 internally referred to as Clicked2, marked as being exploited in-the-wild by Apple in October 2021.
All exploits used before 2021 are based on public exploits written by different jailbreaking communities, researchers added.
The emergence of Hermit spyware shows how threat actors—often working as state-sponsored entities—are pivoting to using new surveillance technologies and tactics following the blow-up over repressive regimes’ use of Israel-based NSO Group’s Pegasus spyware in cyberattacks against dissidents, activists and NGOs, as well as the murders of journalists.
Indeed, while use of spyware like Hermit may be legal under national or international laws, “they are often found to be used by governments for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers and opposition party politicians,” Google TAG researchers wrote.
The United States blacklisted NSO Group over the activity, which drew international attention and ire. But it apparently has not stopped the proliferation of spyware for nefarious purposes in the slightest, according to Google TAG.
In fact, the commercial spyware industry continues to thrive and grow at a significant rate, which “should be concerning to all Internet users,” researchers wrote.
“These vendors are enabling the proliferation of dangerous hacking tools and arming governments that would not be able to develop these capabilities in-house,” they said.