What is "Harmit" spyware targeting android IOS?

What is  "Harmit" spyware targeting android IOS? 

Hermit’ is the latest sophisticated spyware in the news, and it is believed to have targeted iPhones and Android devices in Italy and Kazakhstan. Hermit’s deployment – the spyware has been developed by an Italian vendor called RCS Lab – was first reported by cyber security researchers at the Lookout, a San-Francisco-based cybersecurity firm.

Hermit is a spyware on the lines of Pegasus by NSO Group. Once installed on a device, it can record audio on the device, carry out unauthorised calls, and carry out many unauthorised activities. According to Lookout, the spyware can steal stored account emails, contacts, browser bookmarks/searches, calendar events, etc. It can also take pictures on the device, steal device information such as details about applications, the kernel information, model, manufacturer, OS, security patch, phone number, etc. It can also download and install APK (the app software files on Android) on a compromised phone.

The spyware can also upload files from the device, read notifications, and take pictures of the screen. Because it can gain access to the root or the ‘privilege’ access of an Android system, Lookout’s research showed, it can uninstall apps like Telegram and WhatsApp. According to the researchers, the spyware can silently uninstall/reinstall Telegram. Except the reinstalled version is likely a compromised one. It can also steal data from the old app. For WhatsApp, it can prompt the user to reinstall WhatsApp via Play Store.

So, once Hermit has been deployed to a phone, it can control and track data from all key applications.

Sophisticated spyware such as Hermit and Pegasus cost millions of dollars in licensing fees, and these are not simple operations. It’s not like common malware targeting regular users. And in the case of Hermit, it appears the operations used were complex. According to Google’s TAG team, all campaigns started with a unique link sent to the victim’s phone. When the user clicked, the page installed the application on both Android and iOS.

According to Google, they believed the actors targeting the victims had to work with the target’s ‘Internet Service Provider’ or ISP. Google notes, “We believe the actors worked with the target’s ISP to disable the target’s mobile data connectivity. Once disabled, the attacker would send a malicious link via SMS asking the target to install an application to recover their data connectivity. We believe this is the reason why most applications masquerade as mobile carrier applications.”

When ISP involvement was not possible, the spyware would pretend to be a messaging app. According to Google’s screenshot example, the link would pretend to be a recovery page for a Facebook account and ask users to download a version of either WhatsApp, Instagram or Facebook. This is when the device was an Android. These were obviously compromised versions of these messaging apps.

In Apple’s case, Google’s research showed that the spyware exploited Apple’s enterprise certificate, which is given to apps by select enterprises. This certification allows companies to distribute their own in-house apps for direct downloads on iOS devices, bypassing the App Store. The ‘Hermit spyware’ apps had managed to get these certifications — which have since been revoked by Apple.

What are the security measures 

As noted, Hermit is not a common spyware. Lookout’s analysis shows that in Kazakhstan, “an entity of the national government is likely behind the campaign.” Google also noted that it had identified and alerted all Android victims in Italy and Kazakhstan. It also said it had implemented changes in Google Play Protect and disabled all Firebase projects used to command and control the campaign.

Mobile devices are the perfect target for surveillance. While not all of us will be targeted, users should continue to follow basic tips. This includes regularly updating your phones, as each update includes a patch for previously known or unknown vulnerabilities. Once again, users should avoid clicking on unknown links, even if done out of curiosity. It is also recommended that users periodically review apps on their device to keep track of whether something unknown was added.