Apple stops spreading Hermit spyware


Hermit spyware disabled

Google's Threat Analysis Group (TAG) recently released a report on Hermit targeting iPhones and Android devices. The spyware was created by the Italian software company RCS Lab and has the same approach as NSO Group's Israeli Pegasus. It is still unclear who was affected by the Hermit spyware, but RCS Lab mainly focused on government services. The target could then be activists, journalists, political opponents and human rights defenders.

So Hermit doesn't seem to be aimed at regular users. But its existence does make it clear that something is wrong with iOS security. Companies like NSO Group spend millions on research to circumvent iOS security.

Hermit certificates revoked

Apple has now revoked the certificates for Hermit, which means that it can no longer be used on devices and can no longer be distributed. On iOS and Android, the spyware was distributed outside of the App Store and Google Play through sideloading. The attackers sent a text message with a malicious link to the victims, which prompted the app to be installed. That worked very easily with Android, but for iOS the attackers had to come up with a detour. Hermit was therefore distributed as a business app, through the Apple Developer Enterprise Program. This is intended for companies that want to make apps available to their employees, without doing so via the App Store. These apps do not require approval from Apple, which makes it easy for them to bypass controls. At the same time, it is good to know that these apps cannot just access your user data or the internal system files.

The spyware was disguised as a telecom or messaging app and diverted phone calls, recorded audio through the microphone and collected photos, messages, email and the location of the device. In order to do this, the app has to ask for permission, so at this point a responsibility lies with the user: do not just give permission to your photo collection, camera and microphone.

Victims of the spyware would be subject to others in Italyë itself and in Kazakhstan. It would also have been used in Syria. According to Apple, all known Hermit accounts and certificates have now been revoked, preventing distribution outside of the App Store.