‘Hermit’ Android spyware used in Syria, Kazakhstan and Italy

Organizations operating inside of Kazakhstan, Syria and Italy are using a powerful enterprise-grade spyware to break into people’s Android devices, according to a report released by cybersecurity firm Lookout. 

Lookout researchers obtained a sample of what they call “Hermit” – a brand of surveillanceware they believe is developed by Italian spyware vendor RCS Lab S.p.A. and telecoms company Tykelab Srl.

In a report released on Thursday, the security company said the spyware is able to hide its capabilities in packages downloaded after it has been deployed, which the researchers said is generally done through SMS text messages. 

Lookout added that its researchers were able to obtain and analyze the malware, which “enable Hermit to exploit a rooted device, record audio and make and redirect phone calls, as well as collect data such as call logs, contacts, photos, device location and SMS messages.”

“Based on how customizable Hermit is, including its anti-analysis capabilities and even the way it carefully handles data, it’s clear that this is well-developed tooling designed to provide surveillance capabilities to nation-state customers,” said Justin Albrecht, threat intelligence researcher at Lookout.

The malware impersonates legitimate apps and “tricks users by serving up the legitimate webpages of the brands it impersonates as it kickstarts malicious activities in the background.”

It also has several features that allow the operators to authenticate the data stolen from a victim’s device. 

Lookout noted that the spyware was highlighted in an anti-corruption report released by Italy’s parliament last year as part of an investigation into its use by Italian law enforcement in 2019. 

The company also found evidence that it was used to target people in northern Syria by spoofing the “Rojava Network” – a news outlet dedicated to Kurdish people living in the region. They also uncovered samples that impersonated Chinese electronic manufacturer Oppo as well as others that spoofed Samsung and Vivo.

Paul Shunk, security researcher at Lookout, told The Record that some Hermit samples they examined contained general content applicable to many users and others were “very clearly targeted.”

“The overall design and code quality of the malware stood out compared to many other samples we see. It was clear this was professionally developed by creators with an understanding of software engineering best practices,” Shunk said. 

“Beyond that, it is not very often we come across malware which assumes it will be able to successfully exploit a device and make use of elevated root permissions.”

He added that the samples they obtained were from VirusTotal and were not obtained from an infected device. 

The samples analyzed used a Kazakh language website as its decoy, according to Shunk, who explained that the main Command-and-control (C2) server used by this app was a proxy and that the real C2 was being hosted on an IP from Kazakhstan.

“The combination of the targeting of Kazakh-speaking users and the location of the backend C2 server is a strong indication that the campaign is controlled by an entity in Kazakhstan,” Shunk explained. 

The report claims that “an entity of the national government is likely behind the campaign” but Shunk confirmed that there “is no direct evidence to tie the IP address to the Kazakh government specifically.”

He noted that the samples were from April, just four months after the country was engulfed in nationwide protests. The government shut down its internet as part of an effort to stop protests that began in January.

Confirmed: #Kazakhstan is again in the midst of a nation-scale internet blackout as of early morning Thursday.

While service was available, President Tokayev gave a televised speech appealing to Russia for assistance to "protect the state."

Report: https://t.co/Op5GwzXKbh pic.twitter.com/yidAooRRoi

— NetBlocks (@netblocks) January 5, 2022

“While there is no direct evidence to tie the IP address to the Kazakh government specifically, lawful intercept companies usually only sell to governments and their agencies,” Shunk said. “Given the use of a Kazakh telecommunications company to host the command-and-control server for a campaign targeting Kazakhs, it is possible that an agency of the Kazakh government is behind this.”

There has been significant discussion about the use of spyware by governments this week as US defense contractor L3Harris entered into talks to buy NSO Group, a spyware company that produced malware used against several world leaders, journalists and human rights officials. 

The Biden administration told The Washington Post on Monday that it is deeply concerned about the potential deal considering the US Commerce Department sanctioned NSO Group and three other cybersecurity companies in November for allegedly selling spyware and other hacking tools to repressive governments.  

Lookout noted that RCS Lab has ties to several other spyware vendors used by a number of governments around the world. 

Mike Parkin, senior technical engineer at Vulcan Cyber, said the developers behind Hermit and other other professional grade tools like this “have the resources, and the backing, to develop and deploy these tools with the tacit support of their State-level clients.”

“Regardless of who is using it, or what agenda they are working towards, these commercial grade spyware tools can seriously threaten people’s personal privacy,” Parkin said.