author_name|Igor Bonifacic Information Technology language|en-US provider_name|Engadget region|US site|engadget Software Technology & Electronics

Google warns internet service providers are helping distribute Hermit spyware

Google is warning of a sophisticated new spyware campaign that has seen malicious actors steal sensitive data from Android and iOS users in Italy and Kazakhstan. On Thursday, the company’s Threat Analysis Group (TAG) shared Their findings on RCS Labs, a commercial spyware vendor based in Italy.

On June 16, security researchers said, linked the firm to Hermit, a spyware program believed to have been first distributed by Italian authorities as part of an anti-corruption operation in 2019. Lookout identifies RCS Labs as an NSO Group-like entity. The firm markets itself as a “legal intervention” business and claims to only work with government agencies. However, commercial spyware vendors have come under intense scrutiny in recent years, thanks in large part to governments using Pegasus spyware.

According to Google, Hermit can infect both Android and iOS devices. In some cases, the company’s researchers observed that malicious actors were working with their target’s internet service provider to disable their data connections. They then send an SMS message to the target asking them to download the associated software to restore their internet connection. If that wasn’t an option, bad actors tried to disguise the spyware as a legitimate messaging app like WhatsApp or Instagram.

What makes Hermit particularly dangerous is that it can gain additional abilities by downloading modules from a command and control server. Some of the plugins Lookout observed allowed the program to steal data from the target’s calendar and address book apps, as well as take pictures with their phone’s camera. One module even gave the spyware the ability to root an Android device.

Google believes Hermit never reached the Play or App stores. But the company has found evidence that bad actors can distribute spyware on iOS by signing up with Apple. . Apple said that it has since blocked all accounts or certificates associated with the threat. Meanwhile, Google notified affected users and released an update for Google Play Protect.

The company ends its mandate by stating that the growth of the commercial spyware industry should concern everyone. “These vendors are spreading dangerous hacking tools and arming governments that may not be able to develop these capabilities in-house,” the company said. “While the use of surveillance technologies is legal under national or international law, they have often been found to be used by governments for purposes contrary to democratic values: targeting dissidents, journalists, human rights workers and opposition party politicians.”

All products recommended by Engadget are selected by our editorial team independent of our parent company. Some of our stories contain affiliate links. If you buy something through one of these links, we may earn an affiliate commission.

Source link