A few days ago, articles (including ours) about the Hermit spyware appeared to pique reader interest.
Described in detail by Google’s Threat Analysis Group (TAG), the Hermit spyware (it was dubbed Hermit by security firm Lookout, which first reported its discovery) is part of a dangerous and sophisticated malware attack that’s actively being used in the wild. Attackers are using zero-day vulnerabilities (meaning those that haven’t yet been patched) and other dangerous exploits in Android and iOS code to deploy malware that can take control over someone’s iOS or Android device.
Most news outlets focused on the “news” portion of the story. But as we’ve seen from this Reddit thread, what users really want to know (and rightfully so) is how, exactly, you can protect yourself from this menace, how you can know whether your device has been infected, and if it has, how to get rid of the spyware.
We’ve got some good news and some bad news.
The bad news is that, when performed properly, this is a highly sophisticated attack that could fool nearly anyone. One tactic that the attackers have employed, per TAG, is to work with the target’s ISP to disable the target’s mobile data connectivity and send them a malicious link via SMS to recover connectivity — and install the malware.
It’s unclear whether the attackers actually got the ISPs to participate in the attack, or whether they had an insider who could perform these actions for them, but the result is chillingly dangerous. Imagine your phone losing mobile data connectivity and then immediately getting a message from your vendor saying, “Yeah, we know your phone’s data connectivity doesn’t work, here’s a link to fix it.” Unless you’re aware of this particular attack, you’d probably click on it without much hesitation.
Another tactic was to send links to convincing, rogue versions of popular apps such as Facebook and Instagram which, again, resulted in the target’s phone being infected.
An example of a prompt for the target to install malware apps.
Credit: Google TAG
On Apple devices, attackers used flaws in the company’s protocols to distribute apps that can bypass the App Store but be subject to the same security enforcement mechanisms. In other words, these rogue applications were able to run on iOS devices without the system seeing anything unusual about them. One such app, according to TAG’s analysis, contained security flaws which can be used by six different exploits, and they were able to send interesting files from the device, like a WhatsApp database, to a third party.
TAG doesn’t provide much info on what happens when a target’s device gets infected. But here’s more bad news: If an attacker has access to resources to perform this type of attack, they can probably deploy malware that’s hard or impossible to detect or remove. And it could be (almost) anything: software that eavesdrops on your phone conversations, reads your messages, accesses your camera, you name it. Anti-malware software might be able to detect some of it or at least notify you that something’s wrong, but you should primarily be concerned with protecting your device from getting infected in the first place.
But why did the attacks happen?
According to TAG, these attacks and malware are used by RCS Lab, an Italian company that says it works with governments (its tagline is that they “provide technological solutions and give technical support to the Lawful Enforcement Agencies worldwide.”) In a statement to TechCrunch, the company said it “exports its products in compliance with both national and European rules and regulations” and that “any sales or implementation of products is performed only after receiving an official authorization from the competent authorities.”
These types of attacks should, in theory, be fairly limited towards very specific targets, such as journalists, activists, and politicians. TAG has only seen them in action in two countries, Italy and Kazakhstan (Lookout also adds Syria to that list). Obviously, this is pretty horrible — governments buying spyware from shady vendors and then deploying it to target someone they deem their enemy — but that’s the world we’re living in.
It’s not just RCS Lab and Hermit. TAG says it’s tracking more than 30 vendors that sell “exploits or surveillance capabilities to government-backed actors.” These vendors include companies like North Macedonia’s Cytrox and its ALIEN/PREDATOR spyware, and Israel’s NSO Group, known for its Pegasus spyware.
The good news, if you can call it that, is that these types of attacks aren’t likely to spread massively onto devices of hundreds of millions of users. The people using these tools aren’t building a spambot network, they’re targeting specific individuals. But it’s still important for everyone to know how to protect from sophisticated attacks like these, as you never know when you might become the “specific individual” on some “lawful enforcement agency’s” list.
How do you protect yourself from malware attacks like these?
A typical line you’ll get from security experts is to never, ever install anything from a party you don’t trust, or click on a link coming from someone you don’t know. That’s a bit harder to implement when your ISP is in on the scam and it’s sending you links to “fix” your data connectivity. The rule of thumb still applies: If something feels off, double check it. If you’re unsure whether a link or an app is legit, don’t click on it, even if it comes from Google, Facebook, Apple, your ISP, even a relative. And always keep your device’s software up to date.
TAG also highlights an important fact: None of the malware apps that were used to deploy Hermit were available in Apple’s App Store or Google’s Play Store (the hackers used various tactics to sideline official stores). While installing apps only from official app stores doesn’t offer 100 percent protection from malware, it’s definitely good security practice.
Also, TAG says that Google has taken steps to protect users who have been directly affected by Hermit, including warning all Android victims, and implementing fixes to thwart the attacks. Apple told TechCrunch it has revoked all known accounts and certificates associated with Hermit.
If you want to take it a few steps further, security firm Kaspersky has a list of actions you can take to protect yourself from sophisticated spyware, and it includes daily reboots, disabling iMessage and FaceTime, and using an alternative browser to browse the internet, instead of the popular Chrome or Safari.