A sophisticated spyware campaign is getting the help of Internet service providers (ISPs) to trick users into downloading malicious apps. This corroborates earlier findings from security research group Lookout, which has linked the spyware to Italian spyware vendor RCS Labs.

Researchers believe hermit has already been deployed by the government of Kazakhstan and Italian authorities. Google has identified victims in both countries and says it will notify affected users.

Hermit is a modular threat that can download additional capabilities from a command and control server. This allows the spyware to access the call records, location, photos, and text messages on a victim’s device.

The spyware can infect both Android and iPhones by disguising itself as a legitimate source, typically taking on the form of a mobile carrier or messaging app. Bad actors would then pose as a victim’s mobile carrier over SMS and trick users into believing that a malicious app download will restore their Internet connectivity.

Developers were able to distribute infected apps on iOS by enrolling in Apple’s developer enterprise program. This allowed bad actors to bypass the app store’s standard vetting process and obtain a certificate that’satisfies all of the iOS code signing requirements on any iOS devices’.