Apple Throws Kill Switch on ‘Hermit’ Spyware App Proving Benefits of Tight App Store Control

A new spyware app targeting iPhones and Android smartphones is making a case for why Apple’s centrally controlled app ecosystem is a good idea.

Earlier this month, researchers at Lookout Threat Lab identified a new Android spyware app dubbed Hermit that had been making the rounds in Kazakhstan.

This was reportedly “enterprise-grade Android surveillance” undertaken by Kazakhstan’s government within its borders. However, the spyware app is believed to have been developed by an Italian company, RCS Lab, fronted by a telecommunications company, Tykelab Srl.

The researchers at Lookout noted that they were aware of an iOS version of Hermit but “were unable to obtain a sample for analysis.” However, a week later, Google’s Threat Analysis Group (TAG) reported on its own deep dive into Hermit, including how it works for an “iOS Drive-By” attack.

Hermit is essentially the latest competitor to NSO Group’s Pegasus spyware.

Pegasus made headlines last year due to its widespread use and evidence that it even targeted U.S. State Department employees. Apple is taking legal action against Pegasus to litigate it out of existence. However, it’s far from the only threat out there, and Hermit is simply the newest kid on the block.

Fortunately, due to how Hermit works, it’s much easier for Apple to cut it off at the source. Pegasus was particularly insidious as it relied on vulnerabilities with iOS to execute code that could do things behind the target’s back. Hermit is a much blunter instrument; it requires that the user install an app to do its dirty work.

• As Google’s TAG explains, the target is sent a unique link via email or text message to try and convince them to install the malicious application on their device.
• The means of deceiving the user varied, but in many cases, the actors would work with the target’s ISP to disable their mobile data connectivity and then offer up the app as a way to restore their service.
• In other cases, the app disguised itself as a mobile carrier or messaging application.

This is another example of an app abusing Apple’s Enterprise Developer Program. This program is designed for companies that want to build in-house apps for their employees. However, it’s difficult to police even legitimate members, and the certificates issued by Apple can also sometimes fall into the wrong hands.

It’s also not hard to imagine where Hermit’s developers got the idea; Facebook abused that program a few years ago to build its own spyware app for “research” purposes. Facebook’s app was opt-in, but many of those who signed up didn’t realize the staggering amount of data that the app was capable of collecting.

Hermit is following the same playbook, except that it’s not politely asking users to sign up for a research study. It’s tricking targets into installing a seemingly innocuous app for another purpose, yet the victim is effectively giving up complete control of their iPhone by doing so.

Fortunately, there’s a silver lining in this case. Even though these Enterprise apps operate outside of the App Store, they still do so under Apple’s control. Everything that gets installed on an iPhone has to be signed with a certificate issued by Apple, and what Apple giveth, Apple can take away.

Google’s TAG identified the spyware’s signature as belonging to a company named “3-1 Mobile SRL,” with a developer ID attached. Researchers noted at the time that it “satisfies all of the iOS code signing requirements on any iOS devices because the company was enrolled in the Apple Developer Enterprise Program,” however that’s come to an abrupt halt thanks to Apple’s hold on the iPhone.

As Google set out to notify Android users who had been affected by the spyware, Apple simply threw the kill switch.

Company spokesperson Trevor Kincaid told TechCrunch that “Apple has revoked all known accounts and certificates associated with this spyware campaign.”

The net effect of this is that not only will potential victims be unable to install the Hermit spyware app, but it will automatically be rendered inert even on the devices on which it’s already been installed. That may not help those whose data has already been compromised by Hermit, but it will prevent the app from doing anything else.