People store just about anything on their phones. It's an advantage, but also a huge disadvantage in this interconnected world.
The advantage, of course, include the fact that people can bring their data everywhere they go. The sad news however, hackers know this too. Malicious actors lurk in the shadows, waiting and preying on unsuspecting victims, by planting malware on their phones, in order to spy on them, and steal their data.
And this time, there is yet another spyware found, and it's extremely dangerous.
The name is 'Hermit'.
It's a commercial spyware known to be used by governments, with victims in Kazakhstan, Italy and north Syria.
The spyware uses various modules, which it downloads from its command and control servers whenever they are needed to collect call logs, record audio, redirect phone calls and collect photos, messages, emails, and the device’s precise location.
Security researchers at Lookout were the ones who initially reported it. And this time, Google's Threat Analysis Group and Project Zero confirmed this.
Hermit comes from the Italian software house RCS Lab.
According to its website, the Milan-based company has clients coming from European law enforcement agencies, among others, and that the company develops tools to spy on private messages and contacts of targeted devices.
RCS Lab describes itself as a maker of “lawful interception” technologies and services including voice, data collection and “tracking systems”.
RCS Lab said that its products and services comply with European rules and help law enforcement agencies investigate crimes.
The company said that It handles 10,000 intercepted targets daily in Europe alone.
"RCS Lab personnel are not exposed, nor participate in any activities conducted by the relevant customers," the company said.
Realizing that the global industry making spyware for governments has been growing, with more companies developing interception tools for law enforcement, Google is condemns them.
"The commercial spyware industry is thriving and growing at a significant rate," Google said.
"These vendors are enabling the proliferation of dangerous hacking tools and arming governments that would not be able to develop these capabilities in-house."
Google also said that it had taken steps to protect users of its Android operating system and alerted them about the Hermit.
The same goes for Apple, saying that it had also revoked all known accounts and certificates associated with this Hermit hacking campaign.
This hacking, and commercialized spying industry came under a global spotlight when the Israeli surveillance firm NSO Group’s Pegasus spyware was found targeting officials from many governments around the world, including journalists, activists, and dissidents.
While RCS Lab’s tool may not be as stealthy as Pegasus, it is still a huge threat.
According to both Google and Lookout, the spyware spreads by getting people to click on links in messages sent to targets.
"In some cases, we believe the actors worked with the target’s ISP (internet service provider) to disable the target’s mobile data connectivity," Google said.
"Once disabled, the attacker would send a malicious link via SMS asking the target to install an application to recover their data connectivity."
One example was the Kazakh targeted campaign, which connected to an IP address administered by STS Telecom, a small ISP operating out of Nur-Sultan, Kazakhstan’s capital.
This suggest a state-backed hacking campaign.
When not masquerading as ISP provider, hackers using Hermit would send links pretending to be from phone makers or messaging applications to trick people into clicking, researchers said.
"Hermit tricks users by serving up the legitimate webpages of the brands it impersonates as it kickstarts malicious activities in the background," Lookout researchers said.
Protection Against The Hermit
With more and more people use smartphones as their daily driver for almost anything, the most data they will generate.
"With sophisticated data collection capabilities, and the fact that we carry them all the time, mobile devices are the perfect target for surveillance," said Lookout.
While most people won't be targeted by sophisticated spyware like the Hermit, there are some things people need to follow to keep themselves safe:
- Update operating system and apps. Hacks usually involve exploiting weaknesses in software. Updating should help solve most issues.
- Never click unknown links. Spreading links is the most common ways for attackers to deliver malware.
- Never install unknown apps. Just like links, apps can harbor unknown codes, including malware.
- Periodically review installed apps. This is because sometimes, malware can change the settings it was first granted.
In addition to following the security best practices outlined above, Lookout also strongly recommend having a dedicated mobile security solution to ensure that users' devices aren't compromised by malware or phishing attacks.