Apple has revoked certificates for ‘Hermit’ spyware which was used to target iPhones and Android devices in Italy and Kazakhstan, according to a report by 9to5Mac. The prevalence of Hermit spyware was first reported by cybersecurity group Lookout, and later Google’s Threat Analysis Group (TAG) had published a report as well.
TAG’s analysis showed both Android and iOS devices were targeted using Hermit, which has been developed by an Italian vendor called RCS Lab. Now, Apple has said revoked all “known accounts and certificates associated with the spyware”.
The app was distributed outside of the App Store with the hackers sending a malicious link via text message. While Apple only allows apps from the App Store to be installed on a device, it does offer special certificates for companies to distribute their enterprise apps, as the report points out.
It is this factor that was exploited by the hackers as the spyware app was shown to be a legitimate telecom or messaging app. The enterprise certificate was authorised by Apple, hence this was allowed for installation on iOS devices from outside of the App Store. With Apple revoking the certificate, it means that the hackers can’t simply install the spyware on the devices using the older tactics anymore.
But this does not mean that one’s device is 100 per cent safe or secure against spyware, especially sophisticated spyware that comes with state-backing and resources.
What is Hermit?
The spyware was first highlighted by Lookout Threat Lab researchers. They found a series of “enterprise-grade Android surveillance apps or spyware” that was were used by the government of Kazakhstan within its borders. According to Lookout’s blog post, “Hermit is likely developed by Italian spyware vendor RCS Lab S.p.A and Tykelab Srl, a telecommunications solutions company.” The latter was used as a front to appear legitimate for the entire spyware operation.
According to Lookout, Hermit was also deployed by Italian authorities in 2019.
Hermit was able to exploit a device and then “record audio and make and redirect phone calls, as well as collect data such as call logs, contacts, photos, device location and SMS messages,” adds the blog. This is similar to what other sophisticated spyware such as Pegasus was able to do.
Lookout said the spyware was likely distributed via “SMS messages pretending to come from a legitimate source.”
While Lookout said it was aware of an iOS version of Hermit it was not able to obtain a sample for analysis. According to Google’s TAG, in some cases, the malicious “actors worked with the target’s ISP to disable the target’s mobile data connectivity.”
According to Google, once mobile connectivity was disabled, the attackers would send an SMS asking them to install an app to recover this. “We believe this is the reason why most of the applications masqueraded as mobile carrier applications. When ISP involvement is not possible, applications are masqueraded as messaging applications,” the post said.