Google has found strong evidence that enterprise-grade Android spyware called ‘Hermit’ is being used via SMS messages to target high-profile Android users.
The tech giant has warned all Android victims and implemented changes in Google Play Protect.
Cyber-security researchers last week unearthed ‘Hermit’ that is being used by the governments via SMS messages to target high-profile people like business executives, human rights activists, journalists, academics and government officials.
“Based on our analysis, the spyware, which we named ‘Hermit’ is likely developed by Italian spyware vendor RCS Lab and Tykelab Srl, a telecommunications solutions company we suspect to be operating as a front company,” the researchers from cyber-security company Lookout Threat Lab had said in a blog post.
Lookout researchers uncovered the ‘surveillanceware’ that was used by the government of Kazakhstan.
Google said late on Thursday that the government-backed bad actors “worked with the target’s ISP (internet service provider) to disable the target’s mobile data connectivity”.
“Once disabled, the attacker would send a malicious link via SMS asking the target to install an application to recover their data connectivity. We believe this is the reason why most of the applications masqueraded as mobile carrier applications,” Google’s Threat Analysis Group (TAG) warned.
When ISP involvement is not possible, applications are masqueraded as messaging applications.
Google has been tracking the activities of commercial spyware vendors for years, and taking steps to protect people.
Last week, the company testified at the EU Parliamentary hearing on “Big Tech and Spyware”.
TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors.
Italian spyware vendor RCS Lab, a known developer that has been active for over three decades, operates in the same market as Pegasus developer NSO Group.
RCS Lab has engaged with military and intelligence agencies in Pakistan, Chile, Mongolia, Bangladesh, Vietnam, Myanmar and Turkmenistan.
Hermit is a modular spyware that hides its malicious capabilities in packages downloaded after it’s deployed.
These modules, along with the permissions the core apps have, enable Hermit to exploit a rooted device, record audio and make and redirect phone calls, as well as collect data such as call logs, contacts, photos, device location and SMS messages.
Hermit tricks users by serving up the legitimate webpages of the brands it impersonates as it kickstarts malicious activities in the background.
The researchers said they are also aware of an iOS version of Hermit “but were unable to obtain a sample for analysis”.
Pegasus was developed by the Israeli cyber company NSO Group that can be covertly installed on iPhones and other devices.
It was capable of reading text messages, tracking calls, collecting passwords, location tracking, accessing the target device’s microphone and camera, and harvesting information from apps.
The spyware has been used for surveillance of activists, journalists and political leaders from several nations around the world, including in India.