Security researchers at Lookout recently tied a previously unattributed Android mobile spyware, dubbed Hermit, to Italian software house RCS Lab. Now, Google threat researchers have confirmed much of Lookout’s findings and are notifying Android users whose devices were compromised by the spyware.
Hermit is a commercial spyware known to be used by governments, with victims in Kazakhstan and Italy, according to Lookout and Google. Lookout says it’s also seen the spyware deployed in northern Syria. The spyware uses various modules, which it downloads from its command and control servers as they are needed, to collect call logs, record ambient audio, redirect phone calls and collect photos, messages, emails and the device’s precise location from a victim’s device. Lookout said in its analysis that Hermit, which works on all Android versions, also tries to root an infected Android device, granting the spyware even deeper access to the victim’s data.
Lookout said that targeted victims are sent a malicious link by text message and tricked into downloading and installing the malicious app — which masquerades as a legitimate branded telco or messaging app — from outside of the app store.
According to a new blog post published Thursday and shared with TechCrunch ahead of its publication, Google said it found evidence that in some cases the government actors in control of the spyware worked with the target’s internet provider to cut their mobile data connectivity, likely as a lure to trick the target into downloading an telco-themed app under the guise of restoring connectivity.
Google also analyzed a sample of the Hermit spyware targeting iPhones, which Lookout said previously it was unable to obtain. According to Google’s findings, the Hermit iOS app — which abuses Apple enterprise developer certificates allowing the spyware to be sideloaded on a victim’s device from outside of the app store — is packed with six different exploits, two of which were never-before-seen vulnerabilities — or zero-days — at the time of their discovery. One of the zero-day vulnerabilities was known to Apple as being actively exploited before it was fixed.
Neither the Android nor iOS versions of the Hermit spyware were found in the app stores, according to both companies. Google said it has “notified the Android users of infected devices,” and has updated Google Play Protect, the app security scanner built-in to Android, to block the app from running. Google said it also pulled the plug on the spyware’s Firebase account, which the spyware used for communicating with its servers.
Google did not say how many Android users it was notifying.
Apple spokesperson Trevor Kincaid told TechCrunch that Apple has revoked all known accounts and certificates associated with this spyware campaign.
Hermit is the latest government-grade spyware known to be deployed by state agencies. Although it’s not known who has been targeted by governments using Hermit, similar mobile spyware developed by hacking-for-hire companies, like NSO Group and Candiru, have been linked to surveillance of journalists, activists and human rights defenders.
When reached for comment, RCS Lab provided an unattributed statement, which read in part:
RCS Lab exports its products in compliance with both national and European rules and regulations. Any sales or implementation of products is performed only after receiving an official authorization from the competent authorities. Our products are delivered and installed within the premises of approved customers. RCS Lab personnel are not exposed, nor participate in any activities conducted by the relevant customers.