Posted on June 27, 2022 at 3:25 PM
Google has alerted Android users that internet service providers (ISPs) allowed threat actors to use the Hermit spyware to infect targeted smartphones. This comes barely a week after the malware was used by the government of Kazakhstan within its borders.
Google also stated that it has implemented important changes in the Google Play Protect, its built-in malware defense system for android, to offer more protection to users.
Researchers at Google Threat Analysis Group (TAG), Clement Lecigne and Benoit Sevens, reported the situation and asked users to be more vigilant to secure their devices.
Hermit was designed by an Italian vendor called RCS Lab. Last week, Lookout documented the malware’s activities and called out its modular feature-set. The security firm also highlighted the malware’s capabilities, which include harvesting sensitive information such as contacts, SMS messages, precise location, and call logs.
The Malware Has Several Capabilities
After the threat carefully infiltrates the device, it is empowered to make and redirect phone calls, and record radio. It also monitors various foreground apps used by the targeted user after gaining accessibility services on the Android device.
Additionally, it comes with modularity that ensures that it is a completely customizable tool that equips the spyware’s functionality to be altered or extended at will. However, it’s not clear which of the RCS LAB clients were involved or who were targeted in the campaign.
RCS Labs was established in 1993 and claims to provide technical support and cutting-edge technological solutions to law enforcement agencies worldwide. The company says it handles more than 10,000 intercepted targets in Europe alone.
Director of threat reporting for Zimperium, Richard Melick, stated that Hermit is another example of a digital weapon used to launch an attack on civilians and their mobile devices. He stated that the data the threat actors collect using the malicious tool will be highly valuable.
The Hacker Partnered With ISPs To Target Devices
The attackers targeted the Android users and infected their devices with a spy tool through drive-by downloads. They deliver a unique link in an SMS message which activates the attack chain when clicked.
The report shows that the threat actors collaborated with the internet service providers (ISPs) of the victim to disable their mobile data connectivity. They also sent an SMS that advised the recipients to install an app to restore mobile data access.
“We believe this is the reason why most of the applications masqueraded as mobile carrier applications,” the researchers stated.
The Google research team also stated that the threat actors relied on the provision of profiles that allowed bogus carrier-branded apps. After the disclosure, Apple acted swiftly to revoke; known certificates and accounts linked to the malware operation.
The team explained that a company uses only enterprise certificates for internal use. They are not meant for general app distribution since they can be used to circumvent iOS and App Store security. However, despite the program’s limited scale and tight control, threat actors are exploring ways to access it by buying enterprise certificates on the Dark Web.
The Malware Exploits Six Vulnerabilities
Based on the analysis of the iOS version of the app, the researchers discovered that the malware and its handlers leverage six vulnerabilities to steal files, such as WhatsApp databases from the device. These vulnerabilities include CVE-2021-30983, CVE-2021-30883, CVE-2020-9907, CVE-2020-3837, CVE-2019-8605, and CVE-2018-4344
According to Ian Beer of Google’s Zero, as exploitation via memory corruption keeps getting more expensive for the threat actors, they are gradually changing their focus as well. The drive-by exploit on Android requires the victim to allow a setting that will install third-party apps from unknown sources. For this, many users would be wary of providing extensive permissions to unknown apps, which makes attacks via this medium less likely.
And apart from trying to root the device for entrenched access, the Android variant is also wired separately. It comes with functionalities that enable it to execute ransom and remote components instead of bundling exploits in the APL file.
The Google research team noted that the malicious campaign shows that threat actors do not always achieve the permissions they require using exploits. As the latest situation has shown, they can still use drive-by downloads and basic infection vectors to succeed with the assistance of local ISPs. Google team also warned that vendors like RCS Lab are supplying zero-day vulnerabilities in secret. As a result, the risk of exploitation is severe since several software vendors have been infected over the past 10 years.