Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Sophisticated Android Spyware ‘Hermit’ Used by Governments

Security researchers at Lookout have analyzed a sophisticated Android spyware family that appears to have been created to serve nation-state customers.

Security researchers at Lookout have analyzed a sophisticated Android spyware family that appears to have been created to serve nation-state customers.

Dubbed Hermit, the threat appears to be the first publicly identified mobile spyware developed by Italian vendor RCS Lab S.p.A. and Tykelab Srl, which claims to be a telecommunications solutions company, but which is likely a front company. Tykelab appears closely connected to RCS Lab, with its employees claiming on LinkedIn to be working at both companies.

Active for three decades, RCS Lab appears to operate in the same market as Pegasus developer NSO Group and FinFisher creator Gamma Group. Previously, it was a reseller for Italian spyware vendor Hacking Team, working with military intelligence organizations in Bangladesh, Chile, Mongolia, Myanmar, Pakistan, Turkmenistan, and Vietnam.

Hermit is currently used by the government of Kazakhstan to target entities within the country, but Lookout has found evidence that Hermit was previously used by Italian authorities in 2019, and by an unknown actor in a predominantly Kurdish region of Syria.

Lookout believes that the Android surveillanceware is being distributed via SMS messages that claim to come from legitimate sources. An iOS version of the threat also exists, but the researchers were unable to obtain a sample.

Featuring a modular architecture, the spyware supports 25 modules, each with unique capabilities, to exploit rooted devices, make and redirect calls, record audio and take screenshots, and collect call logs, contacts, messages, browser data, photos, device location, and more. The researchers say they were able to retrieve and analyze 16 of these modules.

Hermit’s modular design also allows it to hide its malicious intent through packages that are downloaded when needed. The initial application functions as a framework with minimal surveillance capability, but which can fetch modules and activate their functionality as instructed, Lookout security researcher Paul Shunk explained in an emailed comment.

Advertisement. Scroll to continue reading.

[ READ: NSO Pegasus Zero-Click ‘Most Technically Sophisticated Exploit Ever Seen’ ]

“This approach ensures that automated analysis of the app cannot find any of the spying functionality and makes even manual analysis significantly harder. In addition, it allows the malicious actor to enable and disable different functionalities in their surveillance campaign or depending on the capabilities of a target device. The modular design might even be part of the business model of the software vendor allowing them to sell individual spying features as value-add line items,” Shunk added.

The observed Android samples impersonated software from telecom companies and smartphone makers, showing to the user the webpages of legitimate brands, while the nefarious activity kicks off in the background.

Before that, however, the spyware checks whether it’s running in an emulator and whether the app has been modified. If all checks pass, it decrypts embedded configuration to connect to its command and control (C&C) server and receive instructions on which modules it should fetch.

“If the device is confirmed to be exploitable then it will communicate with the C2 to acquire the files necessary to exploit the device and start its root service. This service will then be used to enable elevated device privileges such as access to accessibility services, notification content, package use state and the ability to ignore battery optimization,” Lookout explains.

Some of Hermit’s modules attempt to achieve root execution of commands without user interaction. On devices where root is not available, the modules may prompt action from the user, Lookout says.

“The overall design and code quality of the malware stood out compared to many other samples we see. It was clear this was professionally developed by creators with an understanding of software engineering best practices. Beyond that, it is not very often we come across malware which assumes it will be able to successfully exploit a device and make use of elevated root permissions,” Shunk said.

Related: New Android Spyware Uses Turla-Linked Infrastructure

Related: Exodus Android Spyware With Possible Links to Italian Government Analyzed

Related: ‘Mandrake’ Android Spyware Remained Undetected for 4 Years

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.