Hermit spyware, attributed to an Italian company, targets both Android and iOS users. On iOS devices, attackers distributed the spyware outside of the App Store by posing as an enterprise app. Apple has revoked all the accounts and certificates associated with Hermit, effectively preventing further iOS infections.
Google Confirms the Existence of Hermit Spyware
Google’s Threat Analysis Group (TAG) confirmed the existence of Hermit, spyware that can compromise both Android and iOS devices. According to Google. RCS Labs, an Italian software company, created the spyware, Google reported. RCS Labs used a combination of tactics, including atypical drive-by downloads, as initial infection vectors to target iOS and Android users.
Attackers Distributes the Spyware Via Text Message
According to Google, the attackers distributes the spyware by sending a text message with a malicious link. The link attempts to convince iOS users to download and install the app on their devices. Thankfully, the App Store’s complex process made it a bit difficult to install the spyware outside of the App Store. However, Google noted it was still possible.
To bypass the App Store’s complex review and installation process, RCS Labs distributes a fake app to iOS users. The spyware poses as an enterprise app. The App Store gives out special certificates for companies so that they can distribute enterprise software to their employees outside the App Store. The fake enterprise app seemed like a legitimate telecom or messaging app.
Due to the enterprise delivery method, Apple is unable to review the app. The Cupertino-based company doesn’t review software installed outside of the App Store. The spyware will then exploit the user’s device in such ways as capturing audio from the microphone, redirecting phone calls, collecting photos, and more.
Both Google and the security research firm Lookout confirmed that the spyware successfully victimized users in Kazakhstan and Italy.
Apple Revokes Accounts and Certificates Associated with Hermit Spyware
An Apple spokesperson told TechCrunch that Cupertino has already revoked all known accounts and certificates associated with the Hermit spyware. Although it is not clear who the targets of the spyware are, it is suspected that the spyware is being used similar to the NSO Pegasus Software. Pegasus was used by governments as a surveillance tactic against journalists, activists, and political opponents.