What is Hermit Spyware?
“Hermit” is the latest sophisticated spyware in the news, and it is believed to targeted iPhones and Android devices in Italy and Kazakhstan. The deployment of Hermit – the spyware was developed by an Italian vendor called RCS Lab – was first reported by cybersecurity researchers from Lookout, a San Francisco-based cybersecurity firm. Then Google’s Threat Analysis Group (TAG) published a detailed blog post last week, explaining how they believed Hermit was used to target devices.
What is Hermit and what exactly does it do on a device?
Hermit is a spyware on the lines of Pegasus by NSO Group. Once installed on a device, it can record audio on the device, make unauthorized calls and perform many unauthorized activities. According to Lookout, the spyware can steal stored account emails, contacts, browser bookmarks/searches, calendar events, and more. It can also take device photos, steal device information such as application details, kernel information, model, manufacturer, operating system, security patch, phone number , etc. It can also download and install APK (the application software files on Android) on a compromised phone.
The spyware can also download files from the device, read notifications and take screen shots. Because it can access the root or “privileged” access of an Android system, Lookout’s research has shown that it can uninstall apps like Telegram and WhatsApp. According to researchers, the spyware can uninstall/reinstall Telegram silently. Except that the reinstalled version is probably compromised. It can also steal data from the old app. For WhatsApp, it can prompt the user to reinstall WhatsApp through Play Store.
So, once Hermit is deployed on a phone, it can control and track data from all key apps.
How has Hermit rolled out to Android and iOS devices?
Sophisticated spyware like Hermit and Pegasus cost millions of dollars in licensing fees, and they’re not simple operations. It is not like common malware targeting regular users. And in the case of Hermit, it seems that the operations used were complex. According to Google’s TAG team, all campaigns started with a single link sent to the victim’s phone. When the user clicked, the page installed the app on Android and iOS.
But how did they manage to circumvent the security measures of Apple and Google?
According to Google, they believed that actors targeting victims had to work with the target’s “internet service provider” or ISP. Google notes, “We believe the actors worked with the target’s ISP to disable the target’s mobile data connectivity. Once disabled, the attacker would send a malicious link via SMS asking the target to install an app to recover their data connectivity. We believe this is why most apps masquerade as mobile operator apps. »
When ISP involvement was not possible, the spyware pretended to be a messaging application. According to Google’s screenshot example, the link would pretend to be a recovery page for a Facebook account and ask users to download a version of WhatsApp, Instagram, or Facebook. This is when the device was an Android. These were obviously compromised versions of these messaging apps.
According to Lookout, some attacks in Kazakhstan disguised themselves as pages for Oppo, Samsung and Vivo – all well-known phone brands. Additionally, their research shows that RCS Lab also worked with Tykelab Srl, a telecommunications solutions company. Lookout thinks it’s probably a “front company” for RCS Lab, and their blog post claims to show several connections between these two.
In Apple’s case, Google’s research showed that the spyware exploited Apple’s Enterprise Certificate, which is assigned to apps by some companies. This certification allows companies to distribute their own internal apps for direct downloads to iOS devices, bypassing the App Store. The “Hermit spyware” applications had successfully obtained these certifications, which have since been revoked by Apple.
Google said a company named 3-1 Mobile SRL has the necessary certificate because it is enrolled in the Apple Developer Enterprise program. Google also pointed out that they “do not believe the apps were ever available on the App Store.” Once installed, these apps exploited several known flaws and other zero-day exploits to gain more access and perform surveillance. According a new report from 9to5MacApple has now revoked the certificates of these compromised apps.
And then ? How can users protect themselves?
As stated, Hermit is not a common spyware. Lookout’s analysis shows that in Kazakhstan, “a national government entity is likely behind the campaign.” Google also noted that it had identified and alerted all Android victims in Italy and Kazakhstan. He also said he implemented changes in Google Play Protect and disabled all Firebase projects used to command and control the campaign.
Lookout also claims to have seen him deployed in Syria. In Italy, documents showed he had been misused in an anti-corruption operation. “The document mentioned an iOS version of Hermit and linked RCS Lab and Tykelab to the malware, which supports our analysis,” the blog notes.
According to them, “mobile devices are the ideal target for surveillance”. Although not all of us are targeted, users should continue to follow the basic tips. This includes updating your phones regularly, as each update includes a patch for known or unknown vulnerabilities. Again, users should avoid clicking on unfamiliar links, even out of curiosity. Users are also recommended to periodically review the apps on their device to see if anything unknown has been added.
Newsletter | Click to get the best explainers of the day delivered to your inbox
The Google blog also strongly condemns the surveillance tools used by the state and notes that in many cases these are “used by governments for purposes contrary to democratic values: targeting dissidents, journalists, human rights defenders and politicians from opposition parties”. .
Meanwhile, RCS Labs has denied any wrongdoing, saying its products and services comply with EU rules and help law enforcement investigate crimes, according to a Reuters report.