Forget Pegasus, new Android spyware 'Hermit' now being used by govts

Cyber-security researchers have unearthed a new enterprise-grade Android spyware called 'Hermit' that is being used by the governments via SMS messages to target high-profile people like business executives, human rights activists, journalists, academics and government officials.

The team at cyber-security company Lookout Threat Lab uncovered the 'surveillanceware' that was used by the government of Kazakhstan in April, four months after nationwide protests against government policies were violently suppressed.

"Based on our analysis, the spyware, which we named 'Hermit' is likely developed by Italian spyware vendor RCS Lab and Tykelab Srl, a telecommunications solutions company we suspect to be operating as a front company," the researchers said in a blog post.

This isn't the first time Hermit has been deployed.

Italian authorities used it in an anti-corruption operation in 2019.

"We also found evidence suggesting that an unknown actor used it in northeastern Syria, a predominantly Kurdish region that has been the setting of numerous regional conflicts," the team noted.

RCS Lab, a known developer that has been active for over three decades, operates in the same market as Pegasus developer NSO Group Technologies and Gamma Group, which created FinFisher.

RCS Lab has engaged with military and intelligence agencies in Pakistan, Chile, Mongolia, Bangladesh, Vietnam, Myanmar and Turkmenistan.

Collectively branded as "lawful intercept" companies, they claim to only sell to customers with legitimate use for surveillanceware, such as intelligence and law enforcement agencies.

"In reality, such tools have often been abused under the guise of national security to spy on business executives, human rights activists, journalists, academics and government officials," the researchers warned.

Hermit is a modular spyware that hides its malicious capabilities in packages downloaded after it's deployed.

These modules, along with the permissions the core apps have, enable Hermit to exploit a rooted device, record audio and make and redirect phone calls, as well as collect data such as call logs, contacts, photos, device location and SMS messages.

"We theorise that the spyware is distributed via SMS messages pretending to come from a legitimate source. The malware samples analysed impersonated the applications of telecommunications companies or smartphone manufacturers," said the Lookout team.

Hermit tricks users by serving up the legitimate webpages of the brands it impersonates as it kickstarts malicious activities in the background.

The researchers said they are also aware of an iOS version of Hermit "but were unable to obtain a sample for analysis".

According to leaked documents published in WikiLeaks, RCS Lab was a reseller for another Italian spyware vendor HackingTeam, now known as Memento Labs, as early as 2012.

Hermit is a highly configurable spyware with enterprise-grade capabilities to collect and transmit data.

The spyware also attempts to maintain data integrity of collected aevidence' by sending a hash-based message authentication code (HMAC).

"In a sense, electronic surveillance tools are not that different from any other type of weaponry. Just this month, faced with financial pressure, CEO of the NSO group Shalev Hulio opened up the possibility of selling to 'risky' clients," said the researchers.

Pegasus was developed by the Israeli cyber company NSO Group that can be covertly installed on mobile phones and other devices.

It was capable of reading text messages, tracking calls, collecting passwords, location tracking, accessing the target device's microphone and camera, and harvesting information from apps.

The spyware has been used for surveillance of activists, journalists and political leaders from several nations around the world, including in India.

The Supreme Court-appointed technical committee last month informed the court that it would submit the Pegasus probe report soon.

The committee informed the top court that 29 mobile devices have been examined.

The Supreme Court gave more time to the technical committee to finalise and submit its report.