The sideloaded “Hermit” spyware threat on the iPhone has been neutralized, as Apple has already found a way to stop the spread of the spyware on its devices by revoking the developer certificates that allow the spyware to run.
Google’s Threat Analysis Group (TAG) recently published research on “Hermit,” spyware that can compromise Android and iOS devices. As shared on TAG’s official blog (via TechCrunch), the group has confirmed the existence of the Hermit spyware, which was created by Italian software company RCS Lab to attack iOS and Android users. The spyware was distributed outside of the App Store and Google Play thanks to the sideload process.
Attackers send a text message to victims that includes a malicious link, tricking victims into downloading and installing the app. While Android users can usually easily install apps from outside the App Store, iOS users are faced with a bit more complex – but not impossible – installation process.
Apple offers special certificates for companies to use to distribute enterprise apps to their employees outside of the App Store, RCS took advantage of this “feature,” distributing its spyware app (masquerading as a legitimate telecom or messaging app) to iOS users as an enterprise app.
While these sideloaded apps run under the same sandbox rules as App Store apps, meaning they can’t access internal system files or user data without permission, enterprise apps are not subject to the same scrutiny App Store-distributed apps face. This means it makes it easier for bad actor developers to take advantage of exploits in iOS. This allows the bad guys to capture photos from the camera, audio from the microphone, collect photos, emails and messages, and more.
At this point, the specific targeted groups for the Hermit spyware are not known, although victims of the spyware have been identified in Italy and Kazakhstan, while Lookout (the first company to report Hermit spyware) says it has also been used in Syria.
Hermit is likely used in a similar way to other spyware, including NSO Pegasus, which allows governments to monitor journalists, political opponents, activists, and human rights defenders.
Apple has worked to stop the spread of Hermit by revoking the accounts and certificates that are associated with the spyware. Once those have been revoked, the spyware app can no longer be distributed.