Cybersecurity researchers have unearthed a new enterprise-grade Android spyware called “Hermit” which is used by governments via SMS messages to target prominent figures such as corporate executives, human rights activists , journalists, academics and government officials.
The team from cybersecurity firm Lookout Threat Lab uncovered the “surveillance software” used by the government of Kazakhstan in April, four months after the violent crackdown on nationwide protests against government policies.
“Based on our analysis, the spyware, which we have named ‘Hermit’, is likely developed by Italian spyware vendor RCS Lab and Tykelab Srl, a telecommunications solutions company that we suspect operates as a front company,” the researchers said in a blog post. .
This is not the first time Hermit has been deployed.
Italian authorities used it in an anti-corruption operation in 2019.
“We also found evidence to suggest that an unknown actor used it in northeast Syria, a predominantly Kurdish region that has been the site of numerous regional conflicts,” the team noted.
RCS Lab, a known developer active for more than three decades, operates in the same market as Pegasus developer NSO Group Technologies and Gamma Group, which created FinFisher.
RCS Lab has engaged with military and intelligence agencies in Pakistan, Chile, Mongolia, Bangladesh, Vietnam, Myanmar and Turkmenistan.
Collectively referred to as “lawful interception” companies, they claim to only sell to customers with legitimate use of surveillance software, such as intelligence agencies and law enforcement.
“In reality, these tools have often been misused under the guise of national security to spy on corporate executives, human rights activists, journalists, academics, and government officials,” the researchers warned.
Hermit is modular spyware that hides its malicious capabilities in packages downloaded after deployment.
These modules, along with the permissions the core apps have, allow Hermit to operate a rooted device, record audio, and make and redirect phone calls, as well as collect data such as phone logs. calls, contacts, photos, device location and SMS messages.
“We hypothesize that the spyware is being distributed via SMS messages pretending to be from a legitimate source. The analyzed malware samples impersonated applications from telecommunications companies or smartphone manufacturers,” said said the Lookout team.
Hermit deceives users by spreading the legitimate webpages of the brands it impersonates to run malicious activities in the background.
The researchers said they were also aware of an iOS version of Hermit “but were unable to obtain a sample for analysis.”
According to leaked documents published in WikiLeaks, RCS Lab was a reseller for another Italian spyware vendor HackingTeam, now known as Memento Labs, as early as 2012.
Hermit is highly configurable spyware with enterprise-grade capabilities to collect and transmit data.
The spyware also attempts to maintain the data integrity of the collected evidence by sending a hash-based message authentication code (HMAC).
“In a sense, electronic surveillance tools are not so different from other types of weapons. This month, in the face of financial pressure, NSO Group CEO Shalev Hulio opened up the possibility of selling to ‘risky’ customers,” the researchers said.
Pegasus was developed by the Israeli cyber company NSO Group and can be secretly installed on mobile phones and other devices.
It was able to read text messages, track calls, collect passwords, track location, access microphone and camera of target device and collect information from apps.
The spyware has been used to monitor activists, journalists and political leaders from several countries around the world, including India.
Last month, the Supreme Court-appointed technical committee informed the court that it would soon submit the Pegasus investigation report.
The committee informed the high court that 29 mobile devices had been examined.
The Supreme Court granted the technical committee more time to finalize and submit its report.
(Only the title and image of this report may have been edited by Business Standard staff; the rest of the content is auto-generated from a syndicated feed.)
