Headline
ISPs Helping Attackers Install Hermit Spyware on Smartphones- Google
By Deeba Ahmed According to Google, Italian spyware provider RCS Labs received support from several Internet Service Providers (ISPs) to distribute… This is a post from HackRead.com Read the original post: ISPs Helping Attackers Install Hermit Spyware on Smartphones- Google
****According to Google, Italian spyware provider RCS Labs received support from several Internet Service Providers (ISPs) to distribute Hermit spyware on iOS and Android smartphones in Kazakhstan and Italy.****
Google Threat Analysis Group published its findings on the highly sophisticated Hermit spyware. Report authors Benoit Sevens and Clement Lecigne wrote that an Italian spyware provider, RCS Labs, received support from several Internet Service Providers (ISPs) to distribute Hermit spyware on iOS and Android smartphones in Kazakhstan and Italy using commercially available surveillance tools.
Drive-By-Downloads to Infect Target Devices
Researchers state that this campaign, which mainly relies on drive-by-downloads, proves threat actors may not always rely on exploits to get extensive permissions on a device. Through drive-by-downloads, they can fulfill their malicious goals just as effectively with the help of ISPs.
Attack Scenario
The attackers get their victim’s internet connection disrupted with the support of ISPs. In some cases, the target’s ISP disabled their mobile data connection. The victims are then requested to install a malicious application to get back online through an SMS message containing a URL. The victim is asked to install the application and resume their data connection.
Since the campaign involves ISPs, these apps are disguised as legit mobile carrier apps. In scenarios where attackers couldn’t directly influence the target’s ISP, they embedded the spyware in apps disguised as messaging applications.
The victim is redirected to a fake support page where they are promised to recover their suspended social media (Facebook and Instagram) and WhatsApp accounts. Though the social media links let the user install the official apps, the WhatsApp link leads the victim to a fake version of the WhatsApp app.
A screenshot shared by Google shows one of the malicious sites involved in the attack (fb-techsupportcom
Malicious iOS Apps used by 6 Different Exploits
According to a blog post published by Google’s Threat Analysis Group, these malicious apps were unavailable on Google Play and Apple App Store. The threat actors sideloaded the iOS version, which was signed with an enterprise certificate.
The target was asked to enable installation for these apps through unknown sources. The iOS apps used in the attack contain a “generic privilege escalation exploit wrapper” used by 6 different exploits. It also includes a “minimalist agent” that can exfiltrate device data, including the WhatsApp database. Details of these exploits are as follows:
- CVE-2021-30883 known as Clicked2
- CVE-2021-30983 known as Clicked3
- CVE-2020-9907 known as AveCesare
- CVE-2020-3837 known as TimeWaste
- CVE-2018-4344 known as LightSpeed
- CVE-2019-8605 known as SockPort2/SockPuppet
Android Version Details
The drive-by attacks on Android phones require the victims to enable a setting for installing third-party apps from unknown sources, after which fake apps disguised as legit brand apps like Samsung request extensive permissions. Besides rooting the device for rooted access, the apps are designed to fetch/execute arbitrary remote components, which communicate with the main application.
Hermit Capabilities
Hermit boasts a modular feature set and can steal sensitive data from smartphones, including location, contacts, call logs, and SMS messages. The spyware’s modularity allows it to become fully customizable.
Once installed on the device, it can record audio and even make/redirect phone calls, apart from abusing accessibility services permissions. However, researchers didn’t specify the RCS Labs clients involved in this campaign or its targets. For your information, RCS Labs is among the 30 spyware providers currently tracked by Google.
- Edward Snowden urges users to stop using ExpressVPN
- How a Woman’ Fitbit Fitness Tracker Helped Solve Her Murder Case
- Pics of IDF women soldiers helped hackers to breach Israeli Military Servers
- Cloud video platform abused in web skimmer attack against real estate sites
- Cybercrime Syndicate Leader Behind Phishing, BEC Scams Arrested in Nigeria
Related news
A new commercial spyware for governments, called Hermit, has spotted in the wild. It affects iOS and all Android versions. The post Hermit spyware is deployed with the help of a victim’s ISP appeared first on Malwarebytes Labs.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week moved to add a Linux vulnerability dubbed PwnKit to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation. The issue, tracked as CVE-2021-4034 (CVSS score: 7.8), came to light in January 2022 and concerns a case of local privilege escalation in polkit's pkexec utility, which allows an
A week after it emerged that sophisticated mobile spyware dubbed Hermit was used by the government of Kazakhstan within its borders, Google said it has notified Android users of infected devices. Additionally, necessary changes have been implemented in Google Play Protect — Android's built-in malware defense service — to protect all users, Benoit Sevens and Clement Lecigne of Google Threat
A week after it emerged that sophisticated mobile spyware dubbed Hermit was used by the government of Kazakhstan within its borders, Google said it has notified Android users of infected devices. Additionally, necessary changes have been implemented in Google Play Protect — Android's built-in malware defense service — to protect all users, Benoit Sevens and Clement Lecigne of Google Threat
A week after it emerged that sophisticated mobile spyware dubbed Hermit was used by the government of Kazakhstan within its borders, Google said it has notified Android users of infected devices. Additionally, necessary changes have been implemented in Google Play Protect — Android's built-in malware defense service — to protect all users, Benoit Sevens and Clement Lecigne of Google Threat
A week after it emerged that sophisticated mobile spyware dubbed Hermit was used by the government of Kazakhstan within its borders, Google said it has notified Android users of infected devices. Additionally, necessary changes have been implemented in Google Play Protect — Android's built-in malware defense service — to protect all users, Benoit Sevens and Clement Lecigne of Google Threat
A week after it emerged that sophisticated mobile spyware dubbed Hermit was used by the government of Kazakhstan within its borders, Google said it has notified Android users of infected devices. Additionally, necessary changes have been implemented in Google Play Protect — Android's built-in malware defense service — to protect all users, Benoit Sevens and Clement Lecigne of Google Threat
A week after it emerged that sophisticated mobile spyware dubbed Hermit was used by the government of Kazakhstan within its borders, Google said it has notified Android users of infected devices. Additionally, necessary changes have been implemented in Google Play Protect — Android's built-in malware defense service — to protect all users, Benoit Sevens and Clement Lecigne of Google Threat
The company is warning victims in Italy and Kazakhstan that they have been targeted by the malware from Italian firm RCS Labs.
The company is warning victims in Italy and Kazakhstan that they have been targeted by the malware from Italian firm RCS Labs.
The company is warning victims in Italy and Kazakhstan that they have been targeted by the malware from Italian firm RCS Labs.
The company is warning victims in Italy and Kazakhstan that they have been targeted by the malware from Italian firm RCS Labs.
The company is warning victims in Italy and Kazakhstan that they have been targeted by the malware from Italian firm RCS Labs.
The company is warning victims in Italy and Kazakhstan that they have been targeted by the malware from Italian firm RCS Labs.
This issue was addressed with improved checks. This issue is fixed in iOS 15.1 and iPadOS 15.1, macOS Monterey 12.0.1, tvOS 15.1, watchOS 8.1, macOS Big Sur 11.6.1. A local attacker may be able to elevate their privileges.
A lock screen issue allowed access to contacts on a locked device. This issue was addressed with improved state management. This issue is fixed in iOS 15.2 and iPadOS 15.2. An attacker with physical access to a device may be able to see private contact information.
This issue was addressed with improved checks. This issue is fixed in iOS 14.8.1 and iPadOS 14.8.1, iOS 15.1 and iPadOS 15.1, macOS Monterey 12.0.1. A local attacker may be able to cause unexpected application termination or arbitrary code execution.
Multiple out-of-bounds write issues were addressed with improved bounds checking. This issue is fixed in macOS Big Sur 11.6.1. A malicious application may be able to execute arbitrary code with kernel privileges.
The issue was addressed with improved permissions logic. This issue is fixed in macOS Monterey 12.0.1, macOS Big Sur 11.6.1. An unprivileged application may be able to edit NVRAM variables.
An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8. A remote attacker may be able to cause unexpected system termination or corrupt kernel memory.