An Italian company, RCS Labs reportedly spread malware on a number of users in Italy and Kazakhstan. Google said they were victims of the Hermit and modular spyware from RCS Labs.
According to the technology giant, the malware can steal data and also make recordings and calls, quoted from the Threat Post, Monday (28/6/2022).
Google Threat Analysis Group (TAG) researchers Benoit Sevens and Clement Lecigne said attackers would send unique links to their targets to fake apps. This method is to make the victim download and install the spyware that has been prepared.
According to the researchers, the page is in Italian. The website will ask the user to install an application to restore their account.
Both claim that no copycat apps were found in the respective app stores of both Apple and Google.
“We detailed the capabilities we associated with RCS Labs, an Italian vendor using a combination of tactics including atypical drive-by downloads as initial infection vectors, to target mobile users on iOS and Android,” a Google TAG spokesperson said.
It was also revealed that the perpetrators collaborated with the victim’s ISP to disable cellular data connectivity.
One copycat app is similar to Vodafone from iOS, said Ian Beer of Google Project Zero. The perpetrator will send a link to the malicious application via SMS to the victim.
“SMS claims to restore cellular data connectivity, the target must install an operator application and include a download link and install a fake application,” he explained.
Meanwhile, the use of Hermit spyware is actually legal according to national and international laws. But TAG researchers say spyware is also frequently found to be used by governments.
“They are often found to be used by governments for purposes that go against democratic values: targeting dissidents, journalists, human rights workers and opposition party politicians,” said Google TAG researcher.