Google Warns of Sophisticated Malware Distributed With The Help of ISPs
Google has spotted a dangerous new breed of malware making the rounds online, but the tool ID’d by security firm Lookout as “Hermit” isn’t your average money-making scheme. According to Google’s Threat Analysis Group (TAG), this spyware was developed by an Italian company called RCS Labs. The firm claims to be on the right side of the law, but that doesn’t change the fact its software is being used to breach user privacy.
RCS Labs is one of numerous “lawful intercept” businesses, which work with governments and law enforcement to collect data from targets. Often, that means developing powerful surveillance tools with the help of undocumented security vulnerabilities. For example, NSO Group used its Pegasus malware to spy on activists and journalists. Essentially, they build and deploy malware at the behest of a government authority. While this might be legal under the right circumstances, the actions of these companies have come under increasing scrutiny from groups like Lookout and Google’s TAG.
In the case of Hermit, it appears to have spread in Italy and Kazahkstan. In some cases, the bad actors were able to infect their targets with the help of local internet service providers. The ISP would cut a device’s mobile connection, and then send the target a message with a link to restore their connection. However, the link was actually loading the Hermit spyware onto the device. When there wasn’t a compliant ISP, RCS Labs allegedly disguised the malware as a legitimate messaging app like WhatsApp and used social engineering to get the target to install it.
The malware was never hosted in the Google Play Store or Apple App Store, but that didn’t stop people from installing it. On Android phones, the malware needs to be sideloaded with unknown sources enabled. On iOS, the malware creators used a valid certificate for the Apple Developer Enterprise Program, which is used to distribute in-house apps. That allowed users to install the app directly outside of the App Store. Once installed, the app leveraged a raft of exploits to escalate privileges and download new function modules to take over a device, copy data, and monitor the user’s location.
Apple has revoked the developer certificates used in Hermit, and Google has rolled out an update to Play Protect to remove the malware. RCS Labs has been silent on the issue, which makes sense. It has a history of shady connections to military intelligence agencies in countries like Myanmar, Turkmenistan, Syria, and Pakistan, and the intelligence community is all about “no comment.”
Google says the growth in commercial spyware should concern everyone. With online surveillance more common than ever, you might find yourself swept up in a sophisticated malware operation in the future.
Continue reading
Hackers Distributed a Trojanized Build of Windows 10 to Infiltrate Ukrainian Targets
While there are no clear fingerprints on the malicious ISO, Mandiant notes the targets overlap with previous operations from Russia's security services.
Game Mod Developer Caught Deliberately Distributing Malware
While the company has since apologized, comments by the studio head suggest he still doesn't understand the magnitude of his own screw-up.
Microsoft Distributing Spectre, Meltdown, Antivirus Updates
Microsoft is pushing new updates for Meltdown and Spectre out via Intel microcode patches. Also, some AV software should be compatible with Windows 10 once again and updates on those systems should resume.
Huawei Subsidiary Distributes 0-Day Backdoor in DVRs, NVRs, IoT Cameras
A hacker has released a 0-day attack against a wide range of DVRs and cameras that use SoCs from Huawei subsidiary HiSilicon, but the issue may be bad security practices, not deliberate malfeasance.