This isn’t the first time Hermit has been deployed.
Italian authorities used it in an anti-corruption operation in 2019. “We also found evidence suggesting that an unknown actor used it in northeastern Syria, a predominantly Kurdish region that has been the setting of numerous regional conflicts,” the team noted. RCS Lab, a known developer that has been active for over three decades, operates in the same market as Pegasus developer NSO Group Technologies and Gamma Group, which created FinFisher. RCS Lab has engaged with military and intelligence agencies in Pakistan, Chile, Mongolia, Bangladesh, Vietnam, Myanmar and Turkmenistan. Collectively branded as “lawful intercept” companies, they claim to only sell to customers with legitimate use for surveillanceware, such as intelligence and law enforcement agencies.
“In reality, such tools have often been abused under the guise of national security to spy on business executives, human rights activists, journalists, academics and government officials,” the researchers warned. Hermit is a modular spyware that hides its malicious capabilities in packages downloaded after it’s deployed. These modules, along with the permissions the core apps have, enable Hermit to exploit a rooted device, record audio and make and redirect phone calls, as well as collect data such as call logs, contacts, photos, device location and SMS messages. “We theorise that the spyware is distributed via SMS messages pretending to come from a legitimate source. The malware samples analysed impersonated the applications of telecommunications companies or smartphone manufacturers,” said the Lookout team. Hermit tricks users by serving up the legitimate webpages of the brands it impersonates as it kickstarts malicious activities in the background.