Your mobile internet is turned off, you are told to install software, and now you have spyware
Governments will spy. How they do it is up to them. Enter the commercial spy software market that law enforcement purchases to go through smartphone encryption and prosecute more suspects. Although people expect governments to want to crush dissent by maintaining a comprehensive regime of control, they are right to be concerned. This week, research teams seem to have acquired a particularly insidious spy program that can be used in several countries and even use a sanctioned ISP kill key that forces you to install it.
Google Threat Analysis Group and Overview Research (through TechCrunch) both chose this spyware program called “Hermit” and was distributed by commercial vendors Tykelabs and RCS Labs from Italy. Lookout believes Hermit first appeared in Italy, where the government abused an anti-corruption campaign last year. Since then, it has been observed in Syria that Bashar al-Assad’s government is using him as a pro-Kurdish rebel news source to infiltrate tribal members in the northeast. Kazakhstan is also believed to have used Hermit to spy on citizens protesting the government’s decision to raise the price of liquefied natural gas, the main fuel in the former Soviet Union, which has resulted in high costs.
The software is usually delivered with a text message linking to the software that the user will need to download and a bit of social engineering. It can also cover network engineering.
“In some cases, we believe the actors worked with the target’s ISP to turn off the target’s mobile data connection,” Google said. “After deactivation, the attacker sends a malicious link asking the target to install a program to restore the data connection from the target via SMS. We believe that this is the reason why most programs are disguised as mobile operator programs.”
Hermit can run in the background on a website or within a program, where it can remotely access malware modules. The software can use the root operations of the device to make and forward calls, as well as to make audio log, call history, contacts and other information.
Google says the distribution of the Hermit app for iOS was easy for the culprits because they were signed with certificates from an existing Apple-licensed business partner. Apple told TechCrunch that it has since canceled campaign-related accounts. These privileged apps can be downloaded from the side and do not need to appear in the App Store. An Android application taken by the Threat Analysis Group seemed to look like Samsung’s software support program, and the malware had to be removed remotely. Google said it has stopped accessing Firebase servers that include applications in the modules.
All of this can be scary, but it’s all up to you in terms of what programs you install, where you install them, and whether you trust the source.
