Hermit: previously unknown Android spyware apparently from RCS Lab

A previously unknown Android spyware named Hermit was apparently attributed to the RCS-Lab group by a research group.

Lookout security researchers recently classified a previously unknown Android spyware named Hermit to the Italian software house RCS Lab. Now, Google’s threat researchers have confirmed most of Lookout’s findings. Now they notify Android users whose devices have been infected by the spyware.

Hermit is a surveillance jack of all trades

Hermit is a commercial spyware that known to be used by governments. According to Lookout and Google, the software was found on targets in Kazakhstan and Italy. According to Lookout, the spyware was also used in northern Syria. Hermit uses various modules, which it downloads from its command-and-control servers as needed. This allows Hermit, for example, to create and collect call logs, record ambient noise and redirect phone calls. In addition, the spyware captures photos, messages, emails, and the exact location of a target’s device. In its analysis, Lookout found that Hermit, which works on all versions of Android, even tries to root an infected Android device. This gives the spyware even deeper access to the target’s data.

According to Lookout, attackers send victims via SMS a malicious link, tricking them into downloading and installing the malicious app – masquerading as a legitimate telco or messaging app – from outside the app store. In a new blog post published by Google on Thursday, Google says it has found evidence that in some cases the state actors controlling the spyware colluded with the target’s ISP. The aim was to interrupt the mobile data connection; probably as a lure to trick the target into downloading a telco app under the pretense of reconnecting. A perfidious game.

Google also analyzed a sample of the Hermit spyware targeting iPhones, which Lookout says it has not previously been able to obtain. According to Google’s findings, the Hermit iOS app contains six different vulnerabilities, two of which were zero-day vulnerabilities at the time of their discovery. Apple was aware of one of the zero-day vulnerabilities that attackers were actively exploiting before it was fixed. Hermit is abusing Apple’s enterprise developer certificates to allow targets to download it onto their device from outside the app store.

Hermit similar to NSO Group software and Candiru


According to Google and Apple’s neither the Android nor the iOS versions of the Hermit spyware were found in the app stores. Google said they will notify the Android users of the infected devices. Google also updated Play Protect to block the app from running. Google said they also blocked the spyware’s associated Firebase account. This was necessary for the spyware to communicate with its servers. Google didn’t provide any information on how many Android users they notified. Apple spokesman Trevor Kincaid told TechCrunch that Apple has deleted and revoked all known accounts and certificates associated with this spyware.

Hermit is a new type of spyware used by government agencies. While it is not known who governments targeted with Hermit, similar mobile spyware developed by companies such as NSO Group and Candiru has been linked to the surveillance of journalists, activists and human rights defenders.



Related Articles

Back to top button