A spyware vendor, RCS Labs, had been reportedly aided by unidentified Internet Service Providers (ISPs) in spreading surveillance tools against Android and iOS users from Italy and Kazakhstan.
Google’s Threat Analysis Group or TAG had tracked RCS Labs’ activities alongside 29 other spyware vendors. Based on the analysis of the attacks, the victims were instructed to install a malware-laden application to reconnect online after they got disconnected by their respective ISPs.
The researchers also believe that the hackers had conspired with a targeted victim’s ISP to help them disable the victim’s internet connection, such as their mobile data connectivity, to proceed with their attack. Upon losing access online, the victims are sent a text message containing a malicious link that would allegedly help them reconnect.
However, Google added that some spyware vendors could not work with their targets’ ISPs, so they would imitate popular messaging applications, such as WhatsApp, to spread their spyware.
These spyware-laden applications are obtained from third-party sources outside the official Google Play and App Store. iOS users would be instructed to install the malicious apps from third-party sources through a sideloaded version signed with an enterprise certificate.
The infected iOS applications are equipped with built-in exploits that upgrade the hackers’ privileges inside the compromised device to steal sensitive files and data. The reported exploits include CVE-2018-4344, CVE-2019-8605, CVE-2020-3837, CVE-2020-9907, CVE-2021-30883, and CVE-2021-30983.
Meanwhile, the malicious apps on Android devices have no exploits, but they could still effectively execute more payloads through the DexClassLoader API.
The researchers tracked the spyware as Hermit and immediately warned affected Android users that had their security compromised. As explained, the Hermit spyware is a modular “surveillanceware” that can record audio, make phone calls, and harvest data such as text messages, call logs, photos, location, and contact lists once loaded into a device.
After discovering the malicious activities, Google’s security team dismantled the Firebase projects used as a C2 infrastructure for the spyware campaign.
