Haarlem, 16 June 2022 – The security company Lookout has discovered that enterprise-quality Android surveillance software is currently being used by the government of Kazakhstan within the country’s borders. Lookout researchers also found evidence of the spread of this spyware – called “Hermit” by researchers – in Italy and northeastern Syria.
Hermit is likely to be developed by Italian spyware provider RCS Lab SPA and TyKelab SRL, a telecommunications solution company that may operate as a front-line company. RCS Lab, a well-known developer that has previously done business with countries such as Syria, is in the same market as Pegasus developer NSO Group Technologies and Gamma Group, which developed the ‘Finfisher’ spyware.
These companies present themselves as legitimate companies and claim that they only sell their software to customers with a legitimate motivation to use surveillance software, such as intelligence services and law enforcement agencies. In reality, however, such tools have often been misused in the past under the guise of national security to spy on business leaders, human rights activists, journalists, academics, and government officials. This appears to be the first time that a current customer of RCS Labs mobile spyware has been publicly identified.
Hermit is modular monitoring software that hides its malicious properties in modules that are downloaded after the main program is installed. Researchers were able to obtain and analyze 16 of the 25 modules. In conjunction with the permissions of the main malware, the Hermit modules allow you to exploit a rooted device, record audio, start and redirect phone calls, and collect data such as phone logs, contact information, photos, device location, and text messages. ‘Rooting’ is to configure a device in such a way that more rights are available and more apps can be installed.
“This discovery gives us a deeper understanding of a spyware vendor’s business and how advanced app-based spyware works,” said Justin Albrecht, a threat researcher at Lookout. Hermit’s broad adaptation capabilities, including counter-analysis capabilities and even the careful handling of data, show that this is a well-developed tool designed to provide nation-states with monitoring capacity. What is also interesting is that we were able to confirm that Kazakhstan is likely in is currently a customer of RCS Lab. It is not often that customers of a spyware vendor can actually be identified. “
Lookouts researchers suspect that this spyware is distributed via text messages that appear to come from a legitimate sender. The malware samples analyzed were apps from telecommunications companies or smartphone manufacturers. Hermit deceives users by displaying the legitimate web pages of these brands while launching malicious activities in the background.
Read the Lookout Research Blog or visit the Lookout Threat Lab to learn more about the Hermit.
Lookout is an integrated endpoint-to-cloud security company. Lookout’s mission is to secure and strengthen our digital future in a privacy-centric world where mobility and the cloud are paramount in everything we do. The company helps consumers and employees protect their data and stay securely connected without violating their privacy and trust. Lookout is used by millions of consumers, large organizations and government agencies and by partners such as AT&T, Verizon, Vodafone, Microsoft, Google and Apple. Lookout is headquartered in San Francisco and also has offices in Haarlem, Boston, London, Sydney, Tokyo, Toronto and Washington, DC. For more information, visit www.lookout.com and follow Lookout on LinkedIn, Twitter and through blogs.
This article is a submitted message and is not the responsibility of the editors.