Active Hackathon

Is Hermit the new Pegasus?

According to Wikileaks, RCS Lab is also a known business associate of the Italian spyware vendor Memento Labs.
Listen to this story

While the Pegasus spyware is still lurking in the shadows, a new spyware has come crawling out of the woodwork. Dubbed Hermit, the spyware moves via SMS and impersonates applications from telecommunications companies or smartphone manufacturers. It can exploit a rooted device, record audio and make and redirect phone calls and collect data including call logs, contacts, photos, device location and SMS messages

The modular spyware is named after a distinct server path used by the attacker’s command and control (C2).


Sign up for your weekly dose of what's up in emerging technology.

How did it all begin

The researchers from US-based Lookout Threat Lab, an integrated endpoint-to-cloud security company, first spotted the Hermit within Kazakhstan’s borders. The lab claims to have evidence that it was used by the government of Kazakhstan. “While we’ve been following this threat for a while using Lookout Endpoint Detection and Response (EDR) these latest samples were detected in April 2022, four months after nationwide protests against government policies were violently suppressed. Our analysis suggests that Hermit has not only been deployed to Kazakhstan but that an entity of the national government is likely behind the campaign,” said the Lookout team.

The samples from this campaign were named “oppo.service” and impersonated the Chinese electronic manufacturer Oppo. The malware was masked in an official Oppo support page in Kazakh (http://oppo-kz.custhelp[.]com). The page has gone offline ever since. The team also discovered samples that impersonate Samsung and Vivo.

Source: Lookout

That’s not all. Last year, the Italian parliament released a document stating Italian authorities had used Hermit for an anti-corruption operation in 2021. The document mentioned an iOS version of Hermit and linked RCS Lab and Tykelab to the malware.

Researchers had found a reference to “Rojava,” a Kurdish-speaking region in northeastern Syria in Hermit’s passive DNS records. The region is the ground zero for the ongoing Syrian civil war and the fights between the Islamic State (IS) and Kurdish-led Syrian Democratic Forces (SDF). Turkey recently carried out a series of military operations against the SDF, resulting in the region’s partial occupation.

Behind Hermit

As per Lookout, Hermit is developed by Italian spyware vendor RCS Lab S.p.A and a telecommunications solutions company Tykelab Srl that’s allegedly operating as a front.

RCS Lab is over three decades old and is in the same market as NSO Group Technologies that created Pegasus. Such companies claim to sell only to customers with legitimate uses for surveillanceware, such as intelligence and law enforcement agencies. However, in reality, such tools have frequently been used to spy on human rights activists, academics, business executives,  journalists, and government officials under the pretext of national security.

According to Wikileaks, RCS Lab is also a known business associate of the Italian spyware vendor Memento Labs. RCS Lab worked with military and intelligence agencies in Pakistan, Chile, Mongolia, Bangladesh, Vietnam, Myanmar, and Turkmenistan, according to correspondence between the two companies.

Google issues a warning

Google has been tracking the activities of commercial spyware vendors for years, and in many cases, it was sold to and used by government-backed actors. “TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors,” said a Google blog post.

Governments using this spyware collaborate with internet providers to cut a target’s mobile data connectivity and then send an SMS claiming to restore mobile data connectivity with a link to download and install a fake carrier app.

A screenshot from one of the attacker-controlled sites
Source: Google Blog

In Italy and Kazakhstan, RCS Labs used a combination of tactics, including atypical drive-by downloads as initial infection vectors, to target iOS and Android users.

The Hermit iOS app was loaded with six different exploits, two of which were never-before-seen vulnerabilities (zero-days). Even though the Android version of the Hermit spyware was not found in the app store, Google said it has “notified Android users of infected devices” and implemented changes in Google Play Protect to protect all users. Google also said it terminated the spyware’s Firebase account, which was used to communicate with Google’s servers.

More Great AIM Stories

Sri Krishna
Sri Krishna is a technology enthusiast with a professional background in journalism. He believes in writing on subjects that evoke a thought process towards a better world. When not writing, he indulges his passion for automobiles and poetry.

Our Upcoming Events

Conference, Virtual
Genpact Analytics Career Day
3rd Sep

Conference, in-person (Bangalore)
Cypher 2022
21-23rd Sep

Conference, in-person (Bangalore)
Machine Learning Developers Summit (MLDS) 2023
19-20th Jan

Conference, in-person (Bangalore)
Data Engineering Summit (DES) 2023
21st Apr, 2023

3 Ways to Join our Community

Discord Server

Stay Connected with a larger ecosystem of data science and ML Professionals

Telegram Channel

Discover special offers, top stories, upcoming events, and more.

Subscribe to our newsletter

Get the latest updates from AIM

The curious case of Google Cloud revenue

Porat had earlier said that Google Cloud was putting in money to make more money, but even with the bucket-loads of money that it was making, profitability was still elusive.

Global Parliaments can do much more with Artificial Intelligence

The world is using AI to enhance the performance of its policymakers. India, too, has launched its own machine learning system NeVA, which at the moment is not fully implemented across the nation. How can we learn and adopt from the advancement in the Parliaments around the world? 

Why IISc wins?

IISc was selected as the world’s top research university, trumping some of the top Ivy League colleges in the QS World University Rankings 2022