Security researchers at the cloud-based company Lookout have recently discovered a new spyware threat called ‘Hermit’ that is capable of affecting both Android and iOS devices. According to reports, an Android version of the spyware was used in ‘targeted attacks by the national government with victims in Kazakhstan, Syria, and Italy. Now Google researchers have confirmed much of Lookout’s findings and are notifying Android users whose devices were compromised by the spyware.
Google’s Threat Analysis Group (TAG), has described the Hermit spyware as part of a dangerous and sophisticated malware attack that is actively being used. Attackers are using zero-day vulnerabilities (those that haven’t yet been patched) and other dangerous loopholes in Android and iOS codes to deploy malware that can take control of someone’s device.
What is Hermit spyware?
Researchers at Lookout have said that Hermit is a ‘modular surveillance-ware that hides its malicious capabilities in packages downloaded after it is deployed’. This spyware can not only record audio but also make and redirect phone calls, and collect data such as call logs, photos, contacts, SMS messages, and even device location on the targeted smartphone.
How does spyware work?
The Hermit spyware is distributed through SMS messages that pretend to come from some legitimate source. In the samples analyzed by the research team, the spyware mimicked the applications of smartphone manufacturers or telecom companies. “Hermit tricks users by serving up the legitimate webpages of the brands it impersonates as it kickstarts malicious activities in the background,” Lookout researchers noted in the blog post.
The spyware loads and displays the website from the impersonated company simultaneously as malicious activities begin in the backdrop. “If the device is confirmed to be exploitable then it will communicate with the C2 to acquire the files necessary to exploit the device and start its root service. This service will then be used to enable elevated device privileges such as access to accessibility services, notification content, package use state, and the ability to ignore battery optimization,” the researchers added.
Google’s TAG said that all the attacks its team observed began with a unique link sent to the target. Once the user clicks on the link, the page will attempt to make the user download and install a malicious app on an Android or iOS device. “In some cases, we believe the actors worked with the target’s ISP to disable the target’s mobile data connectivity,” TAG noted in their blog. “We believe this is the reason why most of the applications masqueraded as mobile carrier applications. When ISP involvement is not possible, applications are masqueraded as messaging applications,” it added.
How can I protect myself from this spyware?
Google has already warned all its Android victims. Also, the company has implemented changes in Google Play Protect and disabled the Firebase projects used as C2 in this campaign. On their part, Android and iOS users can download the latest version of mobile OS on their smartphones. Additionally, smartphone users should avoid downloading unknown apps or clicking on any links from unknown sources.
- Can Your Company Blog Be Featured In Google News? - December 20, 2023
- Bringing Back Vision: Smart Glasses Help the Blind “See” Through Sound - November 2, 2023
- Apple intends to largely push generative AI into its devices and services - October 25, 2023
