Google says attackers worked with ISPs to deploy Hermit spyware on Android and iOS

Illustration by Alex Castro / The Verge

A sophisticated spyware campaign is getting the help of internet service providers to trick users into installing malicious apps. This corroborates earlier findings from security research group Lookout, which has linked the spyware to a vendor in Italy.

NSO Group is a company that peddles commercial software to various government agencies, according to Lookout. According to researchers at Lookout, Hermit has already been deployed by the governments of Italy and Kazak. In line with these findings, Google has identified victims in both countries.

Hermit is a threat that can be downloaded from a C2 server. The call records, location, photos, and text messages on the victim's phone can be accessed by the spyware. It is possible to record audio, make and intercept phone calls, as well as root to anANDROID device, which gives it full control over its core operating system

The spyware can take the form of a mobile carrier or messaging app in order to steal data from both phones. Some attackers switched off a victim's mobile data in order to further their scheme. The bad actors would pose as a victim's mobile carrier over the phone and trick users into believing that a malicious app will restore their internet connection. If attackers were not able to work with an internet service provider, they would pose as authentic messaging apps to trick users into downloads.

According to researchers from Lookout and TAG, Hermit was never made available via the Apple App Store. The attackers were able to distribute apps on the platform by signing up for the developer program. Bad actors were able to get a certificate that would allow them to circumvent the App Store's standard vetting process.

According to Apple, it has revoked any accounts associated with the threat. The update to the Play Protect app was pushed to all users.