Security Researchers at Lookout recently linked previously unattributed Android mobile spyware, dubbed Hermit, to Italian software company RCS Lab. Now Google threat researchers have confirmed much of Lookout’s findings and are advising Android users whose devices have been compromised by the spyware.
Hermit is commercial spyware known to be used by governments, with victims in Kazakhstan and Italy, according to Lookout and Google. Lookout says it also saw the spyware deployed in northern Syria. The spyware uses various modules, which it downloads from its command and control servers as needed, to collect call logs, record ambient audio, redirect phone calls, and collect photos, messages , emails and precise location of the device from the victim’s device. Lookout said in its analysis that Hermit, which works on all versions of Android, also tries to root an infected Android device, granting the spyware even deeper access to the victim’s data.
Lookout said targeted victims receive a malicious link via text message and are tricked into downloading and installing the malicious app – which masquerades as a legitimate branded telecom or messaging app – from outside the App. Store.
According to a new blog post published Thursday and shared with TechCrunch ahead of publication, Google said it found evidence that in some cases government actors controlling the spyware worked with the target’s internet service provider to shut down their mobile data connectivity, likely as a trick the target into downloading a telecommunications-themed app under the guise of restoring connectivity.
Google also analyzed a sample of Hermit spyware targeting iPhones, which Lookout had previously said was unable to obtain. According to Google findings, the Hermit iOS app – which abuses Apple corporate developer certificates allowing spyware to be loaded onto the victim’s device from outside the App Store – contains six exploits different, two of which were never-before-seen vulnerabilities. – or zero-days – at the time of their discovery. One of the zero-day vulnerabilities was known to Apple to be actively exploited before it was patched.
Neither Android nor iOS versions of Hermit spyware were found in app stores, according to the two companies. Google said it “notified Android users about infected devices” and updated Google Play Protect, Android’s built-in app security scanner, to prevent the app from running. Google said it also disconnected the spyware’s Firebase account, which the spyware used to communicate with its servers.
Google did not specify the number of Android users it was notifying.
Apple spokesperson Trevor Kincaid told TechCrunch that Apple has revoked all known accounts and certificates associated with this spyware campaign.
Hermit is the latest government-level spyware known to be deployed by state agencies. Although it is unknown who has been targeted by governments using Hermit, similar mobile spyware developed by hacking-for-hire companies, such as NSO Group and Candiru, have been linked to surveillance of journalists, activists and human rights defenders.
When reached for comment, RCS Lab provided an unattributed statement, which read in part:
RCS Lab exports its products in compliance with national and European rules and regulations. Any sale or placement of products is only carried out after having received official authorization from the competent authorities. Our products are delivered and installed in the premises of approved customers. RCS Lab personnel are not exposed to or participate in any activities conducted by affected customers.
You can reach this reporter on Signal and WhatsApp at +1 646-755-8849 or email [email protected]