Listen to this story
While the Pegasus spyware is still lurking in the shadows, a new spyware has come crawling out of the woodwork. Dubbed Hermit, the spyware moves via SMS and impersonates applications from telecommunications companies or smartphone manufacturers. It can exploit a rooted device, record audio and make and redirect phone calls and collect data including call logs, contacts, photos, device location and SMS messages
The modular spyware is named after a distinct server path used by the attacker’s command and control (C2).
Sign up for your weekly dose of what's up in emerging technology.
How did it all begin
The researchers from US-based Lookout Threat Lab, an integrated endpoint-to-cloud security company, first spotted the Hermit within Kazakhstan’s borders. The lab claims to have evidence that it was used by the government of Kazakhstan. “While we’ve been following this threat for a while using Lookout Endpoint Detection and Response (EDR) these latest samples were detected in April 2022, four months after nationwide protests against government policies were violently suppressed. Our analysis suggests that Hermit has not only been deployed to Kazakhstan but that an entity of the national government is likely behind the campaign,” said the Lookout team.
The samples from this campaign were named “oppo.service” and impersonated the Chinese electronic manufacturer Oppo. The malware was masked in an official Oppo support page in Kazakh (http://oppo-kz.custhelp[.]com). The page has gone offline ever since. The team also discovered samples that impersonate Samsung and Vivo.
That’s not all. Last year, the Italian parliament released a document stating Italian authorities had used Hermit for an anti-corruption operation in 2021. The document mentioned an iOS version of Hermit and linked RCS Lab and Tykelab to the malware.
Researchers had found a reference to “Rojava,” a Kurdish-speaking region in northeastern Syria in Hermit’s passive DNS records. The region is the ground zero for the ongoing Syrian civil war and the fights between the Islamic State (IS) and Kurdish-led Syrian Democratic Forces (SDF). Turkey recently carried out a series of military operations against the SDF, resulting in the region’s partial occupation.
As per Lookout, Hermit is developed by Italian spyware vendor RCS Lab S.p.A and a telecommunications solutions company Tykelab Srl that’s allegedly operating as a front.
RCS Lab is over three decades old and is in the same market as NSO Group Technologies that created Pegasus. Such companies claim to sell only to customers with legitimate uses for surveillanceware, such as intelligence and law enforcement agencies. However, in reality, such tools have frequently been used to spy on human rights activists, academics, business executives, journalists, and government officials under the pretext of national security.
According to Wikileaks, RCS Lab is also a known business associate of the Italian spyware vendor Memento Labs. RCS Lab worked with military and intelligence agencies in Pakistan, Chile, Mongolia, Bangladesh, Vietnam, Myanmar, and Turkmenistan, according to correspondence between the two companies.
Google issues a warning
Google has been tracking the activities of commercial spyware vendors for years, and in many cases, it was sold to and used by government-backed actors. “TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors,” said a Google blog post.
Governments using this spyware collaborate with internet providers to cut a target’s mobile data connectivity and then send an SMS claiming to restore mobile data connectivity with a link to download and install a fake carrier app.
In Italy and Kazakhstan, RCS Labs used a combination of tactics, including atypical drive-by downloads as initial infection vectors, to target iOS and Android users.
The Hermit iOS app was loaded with six different exploits, two of which were never-before-seen vulnerabilities (zero-days). Even though the Android version of the Hermit spyware was not found in the app store, Google said it has “notified Android users of infected devices” and implemented changes in Google Play Protect to protect all users. Google also said it terminated the spyware’s Firebase account, which was used to communicate with Google’s servers.