So according to research from Google’s Threat Analysis Group (TAG), a sophisticated spyware operation is using internet service providers (ISPs) to lure people into downloading dangerous programs. This supports earlier research from the security company Lookout, which connected the spyware, known as Hermit, to the Italian spyware maker RCS Labs.
Lookout claims that RCS Labs sells commercial spyware to numerous government agencies and works in the same industry as NSO Group, the notorious surveillance-for-hire business that created the Pegasus spyware. Hermit, according to researchers at Lookout, has already been used by the governments of Italy and Kazakhstan. According to these findings, Google has identified victims in both nations and says it will inform the individuals who are impacted.
By posing as a trusted source, usually a mobile carrier or messaging app, the spyware may infect both Android and iPhones. Google discovered that some attackers actually collaborated with ISPs to disable a victim’s mobile data in order to progress their plan. The malicious program download would then lead consumers to believe that their internet connectivity will be restored, tricking the bad guys into posing as the victim’s mobile carrier over SMS. In the event that attackers were unable to cooperate with an ISP, according to Google, they pretended to be genuine-looking messaging apps and tricked users into downloading them.
Hermit-containing apps, according to researchers from Lookout and TAG, were never made available through Google Play or Apple App Stores. However, by joining Apple’s Developer Enterprise Program, attackers were able to spread compromised programs on iOS. This made it possible for malicious users to obtain a certificate that “satisfies all of the iOS code signing criteria on any iOS devices” without going through the App Store’s usual verification process.
Learn more about this at theverge.com