Lookout Security Researchers have recently related to previously unattributed android mobile spyware , nicknamed Hermit, to the Italian software company RCS Lab. Now Google threat researchers have confirmed much of Lookout’s findings and are advising Android users whose devices have been compromised by the spyware.
Hermit is commercial spyware known to be used by governments, with victims in Kazakhstan and Italy, according to Lookout and Google. Lookout also says it saw the spyware deployed in northern Syria. The spyware uses various modules, which it downloads from its command and control servers as needed, to collect call logs, record ambient audio, redirect phone calls, and collect photos, messages , emails and precise location of the device from the victim’s device. Lookout said in his analysis that Hermit, which works on all versions of Android, also tries to root an infected Android device, granting the spyware even deeper access to the victim’s data.
Lookout said targeted victims received an incorrect link via text message and are tricked into downloading and installing the malicious app – which masquerades as a legitimate branded telecom or messaging app – from outside the App Store.
According a new blog post published Thursday and shared with TechCrunch before publication, Google said it found evidence that in some cases government actors controlling the spyware worked with the target’s internet service provider to cut off their mobile data connectivity, probably as a target incitement to download a telecommunications-themed app under the guise of restoring connectivity.
Google also analyzed a sample of Hermit spyware targeting iPhones, which Lookout had previously said was unable to obtain. According to Google findings, the Hermit iOS app – which abuses Apple corporate developer certificates allowing spyware to be loaded onto the victim’s device from outside the App Store – contains six exploits different, two of which were never-before-seen vulnerabilities. – or zero-days – at the time of their discovery. One of the zero-day vulnerabilities was known to Apple to be actively exploited before it was patched.
Neither Android nor iOS versions of Hermit spyware were found in app stores, according to the two companies. Google said it “notified Android users about infected devices” and updated Google Play Protect, Android’s built-in app security scanner, to prevent the app from running. Google also said it disconnected the spyware’s Firebase account, which the spyware used to communicate with its servers.
Google did not specify the number of Android users it was notifying.
When asked by TechCrunch if Apple had disabled the corporate certificate used to sign the iOS version of the spyware, which would render the spyware unable to function, an Apple spokesperson had no comment.
Hermit is the latest government-level spyware known to be deployed by state agencies. Although it is unknown who has been targeted by governments using Hermit, similar mobile spyware developed by hacking-for-hire companies, such as NSO Group and Candiru, have been linked to surveillance of journalists, activists and human rights defenders .
When contacted for comment, RCS Lab provided an unattributed statement, which read in part: “RCS Lab exports its products in accordance with national and European rules and regulations. Any sale or placement of products is only carried out after having received official authorization from the competent authorities. Our products are delivered and installed in the premises of approved customers. RCS Lab personnel are not exposed to or participate in any activities conducted by affected customers.