IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Google warns of ‌ISP-controlled Hermit spyware

The spyware primarily targets Android and iOS users in Italy and Kazakhstan

Google’s Threat Analysis Group (TAG) has identified a new spyware campaign targeting Android and iOS users in Italy and Kazakhstan for data theft.

The alleged maker of the spyware is RCS Labs, an Italy-based commercial spyware vendor.

Earlier this month, security researchers at Lookout found evidence linking the vendor to Hermit, a spyware program that was first released by Italian authorities in 2019 as a corruption countermeasure.

According to Lookout, RCS Labs is an NSO Group-like entity. The firm claims to provide "lawful intercept" services to government agencies.

Reports indicate Hermit can infect both Android and iOS devices. Google’s researchers have also recorded instances where malicious actors collaborated with internet service providers (ISPs) to disable their targets’ data connection.

Targets subsequently received an SMS message with a prompt to download an application to restore their internet connection. In instances without ISP involvement, the spyware was masqueraded as legitimate-looking messaging apps like WhatsApp or Instagram. An added danger of Hermit is that it can download modules from the command-and-control server, giving it additional capabilities. 

Hermit never made its way to the Play or App stores, according to Google. The company discovered evidence, however, that bad actors were able to deploy the spyware on iOS devices by enrolling in Apple's Developer Enterprise Program.

Related Resource

Six myths of SIEM

Things have changed when it comes to SIEM solutions

Whitepaper cover with black & white birds eye view of a cityscapeFree Download

“This campaign is a good reminder that attackers do not always use exploits to achieve the permissions they need. Basic infection vectors and drive-by downloads still work and can be very efficient with the help from local ISPs,” stated Google in a blog post.

“To protect our users, we have warned all Android victims, implemented changes in Google Play Protect and disabled Firebase projects used as C2 in this campaign.”

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Should you take your password manager off the internet?
Sponsored

Should you take your password manager off the internet?

28 Jul 2022