Lookout, cybersecurity specialist, reported on June 16 infection of Android devices with Hermit spyware in Kazakhstan and Italy. Google immediately notified affected users and took steps to mitigate the infection. According to Lookout and Google, the Italian company RCS Lab would have designed this software to sell it to government agencies. A case that echoes the Pegasus spyware scandal which infected the phones of journalists and political figures in 2021.
An infection with the complicity of telephone operators
Google confirmed the discovery made by Lookout through a post on his blog this June 23. Unlike Pegasus, which is zero-click software, requiring no user action to infect their phone, Hermit must be downloaded manually. Lookout explains that the victims were manipulated with the complicity of telephone operators.
Thales receives state support to take over Atos business
According to Google, the mobile connection of the targeted people is temporarily cut off by the operator. They then receive a link by message that invites them to download an official application to restore the connection. This is a decoy that allows the installation of Hermit on the victim’s Android system by bypassing the security present on the Google Play Store.
The spyware thus installed is connected to a server which will collect a lot of data. Call history, photos, messages, emails and phone location are some of the items recovered. More worryingly, Hermit can record sound and redirect calls.
In addition to warning infected people, Google updated Google Play Protect, the security scanner app built into all Android devices to block spyware. The American giant also cut off Hermit’s access to Firebase, Google’s application creation tool, which the spyware hijacked to connect to its server.
Hermit has been used for malicious purposes in several countries
Lookout specifies that the Hermit software has been known for several years. It was already used by the Italian government in 2019 in an anti-corruption operation. According to recordings discovered by the cybersecurity specialist, it was also used in Syria by an unknown actor. The targeted area was a region in the northeast of the country where Hermit posed as “Rojava Network”, a media present on social networks.
Lookout traced a more recent use of Hermit by the government of Kazakhstan in April 2022, months after anti-government protests. In this case, Hermit impersonated a website of Oppo, the phone manufacturer, to mislead Internet users.
The evidence collected by Lookout made it possible to trace the company behind the spyware. It would be the Italian company RCS Lab, a spyware vendor, known for cases dating back to 2015. At the time, leaks from Wikileaks revealed that RCS Lab was a reseller for HackingTeam, a spyware vendor. Links have been established between these two Italian companies and military and intelligence agencies in many countries such as Pakistan, Chile, Mongolia and Turkmenistan.
Following the Pegasus case, in 2021, a group of UN experts considered that the sale of this type of software should be suspended pending stronger regulation. Although the Hermit affair does not have the same media coverage as that of the Israeli virus, it could revive the question of a better framework for these cyber-armaments.