A sophisticated spyware campaign is getting the help of Internet service providers (ISPs) to trick users into downloading malicious apps, according to research published by Google's Threat Analysis Group (TAG).
This confirms previous findings by the security research group Lookout. Lookout linked the spyware, dubbed Hermit, to Italian spyware vendor RCS Labs.
Lookout says RCS Labs is in the same business as the NSO Group and sells commercial spyware to various government agencies.
Researchers at Lookout believe Hermit has been propagated by the Kazakh government and Italian authorities. They also say they saw the spyware spread in northern Syria.
Lookout said in its analysis that Hermit works across all versions of Android. In line with these findings, Google has identified notable victims and said it is notifying affected users.
Hermit is a typical threat that can download additional capabilities from the command and control server. This allows the spyware to access call logs, location, photos and text messages via the victim's device.
Hermit is also able to record audio, make and intercept phone calls as well as access the root user of the infected Android device, giving the spyware deeper access to the victim's data.
Spyware can infect both Android and iPhone by masquerading as a legitimate source, usually in the form of a carrier or messaging app.
And Google's cybersecurity researchers found that some attackers worked with ISPs to turn off the victim's mobile data to further their scheme.
Then, the attackers may pretend to be the victim's mobile operators via SMS. They trick users into believing that downloading a malicious app might reconnect them to the Internet.
Google explained that if the attackers were unable to work with the ISP, they would provide seemingly authentic messaging apps to trick users into downloading them.
Google warns victims of Hermit spyware
Google says that apps containing Hermit were not made available via the Google Play and App Store. However, the attackers were able to distribute infected apps via iOS by enrolling in Apple's Developer Enterprise program.
This allowed attackers to bypass the standard App Store scanning process. Besides obtaining a certificate that it meets all the requirements for signing an iOS code across any iOS device.
Apple said it has since revoked any accounts or certificates associated with the threat. In addition to notifying affected users, Google has also sent out a Google Play Protect update to all users to block the app from running.