Google Notifies Android Users Affected by Government-Class Hermit Spyware



Lookout Security Researchers have recently linked previously unattributed android mobile spyware , nicknamed Hermit, to the Italian software company RCS Lab. Now Google threat researchers have confirmed much of Lookout’s findings and are advising Android users whose devices have been compromised by the spyware.

Hermit is commercial spyware known to be used by governments, with victims in Kazakhstan and Italy, according to Lookout and Google. Lookout says it also saw the spyware deployed in northern Syria. The spyware uses various modules, which it downloads from its command and control servers as needed, to collect call logs, record ambient audio, redirect phone calls, and collect photos, messages , emails and precise location of the device from the victim’s device. Lookout said in his analysis that Hermit, which works on all versions of Android, also tries to root an infected Android device, granting the spyware even deeper access to the victim’s data.

Lookout said targeted victims receive a malicious link via text message and are tricked into downloading and installing the malicious app – which masquerades as a legitimate branded telecom or messaging app – from outside the App. Store.


According a new blog post published Thursday and shared with TechCrunch before publication, Google said it found evidence that in some cases government actors controlling the spyware worked with the target’s internet service provider to cut off their mobile data connectivity, likely as a way to trick the target into downloading a telecommunications-themed app under the guise of restoring connectivity.

Google also analyzed a sample of the Hermit spyware targeting iPhones, which Lookout said previously it was unable to obtain. According to Google’s findings, the Hermit iOS app — which abuses Apple enterprise developer certificates allowing the spyware to be sideloaded on a victim’s device from outside of the app store — is packed with six different exploits, two of which were never-before-seen vulnerabilities — or zero-days — at the time of their discovery. One of the zero-day vulnerabilities was known to Apple as being actively exploited before it was fixed.

Neither Android nor iOS versions of Hermit spyware were found in app stores, according to the two companies. Google said it had “notified Android users about infected devices” and updated Google Play Protect, Android’s built-in app security scanner, to prevent the app from running. Google said it also disconnected the spyware’s Firebase account, which the spyware used to communicate with its servers.

Google did not specify the number of Android users it was notifying.

When asked by TechCrunch if Apple had disabled the corporate certificate used to sign the iOS version of the spyware, which would render the spyware unable to function, an Apple spokesperson had no comment.

Hermit is the latest government-level spyware known to be deployed by state agencies. Although it is unknown who has been targeted by governments using Hermit, similar mobile spyware developed by hacking-for-hire companies, such as NSO Group and Candiru, have been linked to surveillance of journalists, activists and human rights defenders .

When contacted for comment, RCS Lab provided an unattributed statement, which read in part: “RCS Lab exports its products in accordance with national and European rules and regulations. Any sale or placement of products is only carried out after having received official authorization from the competent authorities. Our products are delivered and installed in the premises of approved customers. RCS Lab personnel are not exposed to or participate in any activities conducted by affected customers.


Leave a Comment