Security researchers at Lookout have released new details about an Android spyware deployed in targeted attacks by national governments, with victims in Kazakhstan, Syria and Italy.
The spyware, which Lookout is naming Hermit, was first detected in Kazakhstan in April, just months after the Kazakh government violently suppressed protests against government policies. Lookout said a Kazakh government entity was likely behind the most recent campaign. The spyware has also been deployed in the northeastern Kurdish region of Syria, and by Italian authorities as part of an anti-corruption investigation.
Lookout obtained a sample of the Hermit Android malware, which they say is modular, allowing the spyware to download additional components as the malware needs it. The spyware uses the various modules to collect call logs, record audio, redirect phone calls and collect photos, messages, emails, and the device’s precise location, much like other spyware. Lookout said, however, that the spyware has the ability to root phones, by pulling in the files from its command and control server needed to break the device’s protections and allow near-unfettered access to a device without user interaction.
In an email, Lookout researcher Paul Shunk said the malware can run on all Android versions. “Hermit checks the Android version of the device running the app at various times in order to adapt its behavior to the version of the operating system.” Shunk said this “stands out from other app-based spyware.”
It’s believed the malicious Android app is distributed by text message spoofed to look like the message is coming from a legitimate source, impersonating apps from telecoms companies and other popular brands, like Samsung and Chinese electronics giant Oppo, which then tricks the victim into downloading the malicious app.
Lookout said there was evidence of a Hermit-infected iOS app that, like other spyware, abuses Apple enterprise developer certificates to sideload its malicious app from outside of the app store — the same behavior Facebook and Google were penalized for by skirting Apple’s app store rules. Lookout said it was unable to obtain a sample of the iOS spyware.
Now Lookout is saying its evidence points to Hermit having been developed by Italian spyware vendor RCS Lab and Tykelab, a telecom solutions company, which Lookout says is a front company. An email sent to an email address on Tykelab’s website was returned as undelivered. A spokesperson for RCS Lab did not return a request for comment.
Hermit is just one of several known government-grade spyware known to be used by authorities in what is becoming a busy market for mobile exploits for allowing governments to conduct targeted phone surveillance. But many of these government hacking-for-hire companies, like Israeli firms Candiru and NSO Group, are used by nation states and their authorities to spy on their most vocal critics, including journalists, activists and human rights defenders.
You can send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop. Learn more