New spyware ‘Hermit’ being used by govts


New York : Cyber-security researchers have unearthed a new enterprise-grade Android spyware called ‘Hermit’ that is being used by the governments via SMS messages to target high-profile people like business executives, human rights activists, journalists, academics and government officials. The team at cyber-security company Lookout Threat Lab uncovered the ‘surveillanceware’ that was used by the government of Kazakhstan in April, four months after nationwide protests against government policies were violently suppressed. “Based on our analysis, the spyware, which we named ‘Hermit’ is likely developed by Italian spyware vendor RCS Lab and Tykelab Srl, a telecommunications solutions company we suspect to be operating as a front company,” the researchers said in a blog post.

This isn’t the first time Hermit has been deployed.

Italian authorities used it in an anti-corruption operation in 2019. “We also found evidence suggesting that an unknown actor used it in northeastern Syria, a predominantly Kurdish region that has been the setting of numerous regional conflicts,” the team noted. RCS Lab, a known developer that has been active for over three decades, operates in the same market as Pegasus developer NSO Group Technologies and Gamma Group, which created FinFisher. RCS Lab has engaged with military and intelligence agencies in Pakistan, Chile, Mongolia, Bangladesh, Vietnam, Myanmar and Turkmenistan. Collectively branded as “lawful intercept” companies, they claim to only sell to customers with legitimate use for surveillanceware, such as intelligence and law enforcement agencies.

“In reality, such tools have often been abused under the guise of national security to spy on business executives, human rights activists, journalists, academics and government officials,” the researchers warned. Hermit is a modular spyware that hides its malicious capabilities in packages downloaded after it’s deployed. These modules, along with the permissions the core apps have, enable Hermit to exploit a rooted device, record audio and make and redirect phone calls, as well as collect data such as call logs, contacts, photos, device location and SMS messages. “We theorise that the spyware is distributed via SMS messages pretending to come from a legitimate source. The malware samples analysed impersonated the applications of telecommunications companies or smartphone manufacturers,” said the Lookout team. Hermit tricks users by serving up the legitimate webpages of the brands it impersonates as it kickstarts malicious activities in the background.