Security researchers at Lookout have analyzed a sophisticated Android spyware family that appears to have been created to serve nation-state customers.
Dubbed Hermit, the threat appears to be the first publicly identified mobile spyware developed by Italian vendor RCS Lab S.p.A. and Tykelab Srl, which claims to be a telecommunications solutions company, but which is likely a front company. Tykelab appears closely connected to RCS Lab, with its employees claiming on LinkedIn to be working at both companies.
Active for three decades, RCS Lab appears to operate in the same market as Pegasus developer NSO Group and FinFisher creator Gamma Group. Previously, it was a reseller for Italian spyware vendor Hacking Team, working with military intelligence organizations in Bangladesh, Chile, Mongolia, Myanmar, Pakistan, Turkmenistan, and Vietnam.
Hermit is currently used by the government of Kazakhstan to target entities within the country, but Lookout has found evidence that Hermit was previously used by Italian authorities in 2019, and by an unknown actor in a predominantly Kurdish region of Syria.
Lookout believes that the Android surveillanceware is being distributed via SMS messages that claim to come from legitimate sources. An iOS version of the threat also exists, but the researchers were unable to obtain a sample.
Featuring a modular architecture, the spyware supports 25 modules, each with unique capabilities, to exploit rooted devices, make and redirect calls, record audio and take screenshots, and collect call logs, contacts, messages, browser data, photos, device location, and more. The researchers say they were able to retrieve and analyze 16 of these modules.
Hermit’s modular design also allows it to hide its malicious intent through packages that are downloaded when needed. The initial application functions as a framework with minimal surveillance capability, but which can fetch modules and activate their functionality as instructed, Lookout security researcher Paul Shunk explained in an emailed comment.
[ READ: NSO Pegasus Zero-Click ‘Most Technically Sophisticated Exploit Ever Seen’ ]
“This approach ensures that automated analysis of the app cannot find any of the spying functionality and makes even manual analysis significantly harder. In addition, it allows the malicious actor to enable and disable different functionalities in their surveillance campaign or depending on the capabilities of a target device. The modular design might even be part of the business model of the software vendor allowing them to sell individual spying features as value-add line items,” Shunk added.
The observed Android samples impersonated software from telecom companies and smartphone makers, showing to the user the webpages of legitimate brands, while the nefarious activity kicks off in the background.
Before that, however, the spyware checks whether it’s running in an emulator and whether the app has been modified. If all checks pass, it decrypts embedded configuration to connect to its command and control (C&C) server and receive instructions on which modules it should fetch.
“If the device is confirmed to be exploitable then it will communicate with the C2 to acquire the files necessary to exploit the device and start its root service. This service will then be used to enable elevated device privileges such as access to accessibility services, notification content, package use state and the ability to ignore battery optimization,” Lookout explains.
Some of Hermit’s modules attempt to achieve root execution of commands without user interaction. On devices where root is not available, the modules may prompt action from the user, Lookout says.
“The overall design and code quality of the malware stood out compared to many other samples we see. It was clear this was professionally developed by creators with an understanding of software engineering best practices. Beyond that, it is not very often we come across malware which assumes it will be able to successfully exploit a device and make use of elevated root permissions,” Shunk said.
Related: New Android Spyware Uses Turla-Linked Infrastructure
Related: Exodus Android Spyware With Possible Links to Italian Government Analyzed
Related: ‘Mandrake’ Android Spyware Remained Undetected for 4 Years