Google’s Threat Analysis Group (TAG), a group that specializes in tracking and analyzing government-backed hacking and attacks, recently published research on “Hermit” – a spyware that can compromise Android and iOS devices. Luckily, Apple has already found a way to stop the spread of this specific spyware on its devices.
As shared on TAG’s official blog (via TechCrunch), the group has confirmed the existence of the Hermit spyware, which was created by Italian software company RCS Lab to attack iOS and Android users. On both platforms, the spyware was distributed outside of the App Store and Google Play thanks to the sideload process.
More specifically, the attackers send a text message with a malicious link tricking and convincing victims to download and install the app. While Android lets any user easily install apps from outside the App Store, the process on iOS is a bit more complex – but still not impossible.
Since Apple offers special certificates for companies to distribute enterprise apps to their employees outside of the App Store, RCS distributed its fake app to iOS users as an enterprise app. The spyware was masquerading as a legitimate telecom or messaging app. These apps run under the same sandbox rules as App Store apps, so they can’t access internal system files or user data without permission.
However, since enterprise apps are not reviewed by Apple, it’s easier for them to take advantage of exploits found in iOS. Once spyware is installed on the victim’s device, it can capture audio from the microphone, redirect phone calls, collect photos, messages, emails, and even the current location of the device.
Research has identified victims of the spyware in Italy and Kazakhstan, while Lookout (the first company to report Hermit spyware) says it has also been used in Syria.
Who are the targets of Hermit spyware?
At this point, the specific targets of the Hermit spyware remain unclear, but there’s evidence that RCS Lab has been selling the spyware to “government-backed actors.” Hermit is probably used in a similar way to NSO Pegasus spyware, which lets authoritarian governments surveil journalists, political opponents, activists, and human rights defenders.
Even if these spywares are not aimed at regular users, their existence is still a huge threat to people’s security and privacy. Last year, Apple filed a lawsuit against the NSO Group with the allegation that the organization spends millions of dollars to break the iOS security system and put users in danger.
Apple has stopped the spread of Hermit spyware
For now, Apple has found a way to stop the spread of Hermit spyware. A company spokesperson said that all known accounts and certificates associated with the spyware have been revoked, so the malicious app can no longer be distributed outside of the App Store.
Of course, this doesn’t mean that iOS users are completely safe from the threat. Just like NSO Group, RCS Lab can still find another way to exploit iOS to distribute their spyware. The best advice for any smartphone user is to never click on unknown links and never install apps from a source you don’t know.
