[MART] - Daily Diary #538 - RCS Labs targets Android and IOS users

CTAS-MAT ctas-mat at appgate.com
Fri Jun 24 20:58:13 UTC 2022

I hope everyone is doing well!

Below is the entry for today.

06/24/2022 - Daily Diary #535

It was recently revealed that RCS Labs, an Italian spyware provider active for more than three decades, with the help of Internet Service Providers (ISP), infected Android and iOS users in Syria, Italy, and Kazakhstan with Hermit, a surveillance software.

Hermit is a modular surveillance spyware that is highly customizable to craft the operator’s campaign. Among its capabilities, Hermit can record audio, intercept phone calls, and collect call logs, contacts, photos, device location, and SMS messages. To keep the integrity of the collected data, Hermit uses a hash-based Message Authentication Code (HMAC) to authenticate who sent the data and ensure that it was not modified.

Disguised as a legitimate application, IOS and Android users received a link via SMS message. Once clicked, the page lures the victims to download and install the fake app. In some cases, the actors worked with the target's ISP to disable the device's mobile data connectivity. Once disabled, the attacker would send a malicious link via SMS, asking the victim to install the fake app to regain data connectivity. When ISP involvement was not possible, the apps were disguised as messaging apps.

To protect against spyware, we recommend downloading applications only from trusted sources, having AV updated periodically, and not trusting external links to download apps - particularly if they come through SMS or e-mail. Although these recommendations are not enough against more advanced spyware strains like Pegasus from NSO Group — since it relies on Zero-Day vulnerabilities and zero-click attacks — high-profile targets may need to adopt additional precautions.

Kind Regards,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220624/807bbaac/attachment.htm>

More information about the MART mailing list