In brief: Governments around the world are increasingly deploying mobile spyware in response to civil wars. Reports from Google and Lookout Threat Lab describe multiple spyware campaigns run by Italian company RCS Labs. In some cases, ISPs helped distribute “Hermit” spyware, which the company can sideload onto iPhones.
A report from the Google Threat Analysis Team describes how Italian company RCS Labs distributes its Hermit spyware on behalf of customers, including national governments. It ties into Lookout Threat Lab’s report from earlier this month.
Attackers proliferate Hermit via SMS links that lead to fake web pages masquerading as real companies, such as a Facebook account recovery page or a support page for Chinese tech company Oppo. The pages may prompt users to download apps that provide the spyware.
However, in some cases, the target’s ISP can collaborate with attackers by disabling the target’s Internet service. The target will then receive a message with a link to restore the service that Hermit is installing.
Examples of fake web pages distributing Hermit spyware
Through drive-by downloads and multiple known exploits, RCS can sideload apps with Hermit on iOS devices, as the company is part of the Apple Developer Enterprise Program. The apps never appear in the Apple App Store, but have legitimate iOS certificates and run in the iOS app sandbox. Similar drive-by downloads are possible on Android if users enable sideloading and the apps never appear on Google Play.
Google and Lookout discovered Hermit’s deployment particularly in Kazakhstan. Lookout also noticed it in Kurdish areas of Syria and found that RCS has connections with the governments of Vietnam, Myanmar, Pakistan, Chile, Mongolia, Bangladesh and Turkmenistan.
To prevent spyware, users should keep their mobile devices up to date, avoid suspicious or unknown links, be careful when installing new apps, and check their apps occasionally.