Government-Backed Spyware ‘Hermit’ Exploits Chrome Zero-Day Vulnerability
A newly discovered spyware campaign is targeting both Android and iOS users, leveraging a previously unknown “zero-day” vulnerability in the Google Chrome browser to infect devices. The sophisticated spyware, known as ‘Hermit’, is linked to the Italian commercial surveillance vendor RCS Lab, highlighting the growing danger posed by a private industry that sells powerful hacking tools to government agencies.
Google’s Threat Analysis Group (TAG) identified the attacks and attributed them to RCS Lab, a company that claims to provide “lawful intercept” services to law enforcement. The campaign targeted individuals in Italy and Kazakhstan, demonstrating the global reach of these surveillance tools. This discovery confirms that the commercial spyware market extends beyond a few well-known companies, posing a significant threat to user privacy and security worldwide.
The Anatomy of a Sophisticated Mobile Attack
The attack chain used to deploy the Hermit spyware is complex and multi-pronged, often beginning with a unique link sent to the target’s mobile device. Attackers have been observed taking extraordinary measures to ensure their targets click the link and install the malicious software.
In some cases, the attackers worked with the target’s Internet Service Provider (ISP) to disable their mobile data connection. The victim would then receive a message from the attacker, masquerading as their carrier, prompting them to install an app to restore connectivity. This app, of course, was the spyware itself.
The infection process differs slightly between Android and iOS:
- For Android users, the link prompts them to download and install a malicious application (APK) from outside the official Google Play Store.
- For iOS users, the attack abuses Apple’s enterprise developer certificates. These certificates allow organizations to install apps on employee devices without going through the App Store. The victim is guided through the process of installing the malicious app, which is signed with a valid certificate, bypassing many of Apple’s standard security protections.
Once installed, Hermit is a highly modular spyware with extensive capabilities. It can steal data from the device, including contacts, calendar events, photos, and files. It can also record ambient audio, redirect phone calls, and access precise device location, turning a personal smartphone into a powerful surveillance device.
What is RCS Lab? The Company Behind the Spyware
RCS Lab is an Italian company that has been operating for decades, marketing its surveillance technology to government and intelligence agencies. Much like the infamous NSO Group, the creator of the Pegasus spyware, RCS Lab operates in a secretive but lucrative industry that develops and sells tools for digital espionage.
The existence of such companies creates a dangerous ecosystem where powerful zero-day vulnerabilities—flaws in software unknown to the vendor—are bought and weaponized instead of being disclosed and fixed. The Chrome vulnerability exploited in this campaign (tracked as CVE-2022-2294) was a heap buffer overflow in the WebRTC component, which Google has since patched. However, the incident serves as a stark reminder that even the most secure software can be compromised.
The commercialization of these tools means they can be used by governments against various targets, including journalists, human rights activists, and political opponents, under the guise of national security.
How to Protect Yourself from Advanced Spyware Threats
While attacks of this sophistication are often targeted, every user can take steps to harden their defenses against spyware and other digital threats.
Keep Your Software Updated: This is the single most important step. The Chrome vulnerability used by Hermit was patched by Google in a security update. Enable automatic updates on your browser, operating system, and all applications to ensure you are protected against known flaws as soon as a fix is available.
Be Wary of Unsolicited Links: Never click on links or download attachments from unknown or suspicious sources, whether they arrive via text message, email, or social media. Be especially cautious of messages that create a sense of urgency, like claiming your internet is disabled.
Only Install Apps from Official Stores: For Android users, avoid installing apps from third-party sources. For iOS users, be extremely skeptical of any website that asks you to install a custom “enterprise” app or configuration profile. Your device will display clear warnings in these situations—do not ignore them.
Restart Your Device Regularly: Some forms of malware are “non-persistent,” meaning they only reside in the device’s temporary memory. A simple reboot can sometimes be enough to remove them. Making a weekly restart part of your routine is a good security practice.
Review App Permissions: Periodically check which apps have access to your microphone, camera, location, and files. Revoke any permissions that an app does not strictly need to function.
The rise of the commercial spyware industry is a serious threat to digital freedom and privacy. Staying informed and practicing strong digital hygiene is your best defense against these evolving dangers.
Source: https://www.bleepingcomputer.com/news/security/italian-spyware-vendor-linked-to-chrome-zero-day-attacks/
