Hermit: The Pegasus-like Spyware That Governments Are Using To Snoop on Citizens

The spyware attempts to root Android phones, which allows access to privileged control over various subsystems.

Viraj Gaur
Tech News
Published:
<div class="paragraphs"><p>Parental control softwares allow snooping at lower costs in India. Image used for representational purposes.&nbsp;</p></div>
i

Parental control softwares allow snooping at lower costs in India. Image used for representational purposes. 

(Photo: Altered by The Quint)

advertisement

Researchers at cybersecurity company Lookout have found that the governments of Italy, Syria and – most recently – Kazakhstan may have been using a previously unknown spyware to snoop on citizens.

It's no secret that governments across the world use surveillance software to spy on their own citizens, members of opposition, vocal critics, and other persons of interest.

In 2021, the infamous Pegasus spyware was found to have infiltrated the phones of 1,400 individuals globally, including human rights activists, lawyers and activists in India. Meanwhile, Candiru spyware has been used by government bodies in Spain, Uzbekistan, and other countries.

Hermit, however, appears to be more capable (and therefore dangerous) than its predecessors. Here's all you need to know.

What’s Hermit, How Does It Work?

Hermit is a modular enterprise-grade surveillanceware. According to Lookout, it has around 25 modules that can be downloaded after it is deployed, and each of them has unique malicious capabilities.

The spyware attempts to root Android phones, a process which allows access to privileged control over various Android subsystems.

"These modules, along with the permissions the core apps have, enable Hermit to exploit a rooted device, record audio and make and redirect phone calls, as well as collect data such as call logs, contacts, photos, device location and SMS messages."
Justin Albrecht and Paul Shunk, Lookout

Hermit, according to Lookout, is distributed via SMS messages pretending to come from a legitimate sources like telecom operators and smartphone manufacturers.

When you click on the link it will open up the actual webpage, to maintain the illusion, while secretly kickstarting malicious activities in the background.

There's an iOS version of Hermit too, but it hasn't been analysed yet.

Who Made Hermit?

Lookout researchers suspect that this spyware was made by Tykelab, a telecom solutions company, and RCS Lab, a secretive Italian developer with a clientele similar to Israel's NSO Group and Germany's Gamma Group.

"Collectively branded as 'lawful intercept' companies, they claim to only sell to customers with legitimate use for surveillanceware, such as intelligence and law enforcement agencies," wrote researchers Justin Albrecht and Paul Shunk.

RCS Labs, according to documents uploaded on Wikileaks, has allegedly been in touch with military and intelligence agencies in Pakistan, Chile, Mongolia, Bangladesh, Vietnam, Myanmar and Turkmenistan.

ADVERTISEMENT
ADVERTISEMENT

Who Has Used Hermit?

Lookout's analysis suggests that Hermit is currently being used in Kazakhstan and has previously been used in Syria and Italy.

In Kazakhstan, a sample was first detected in April 2022. The spyware impersonated smartphone manufacturers Oppo, Samsung and Vivo to mask its malicious activity. The researchers believe that "an entity of the national government is likely behind the campaign".

Before this, researchers found a reference to Rojava, a Kurdish-speaking region in northeastern Syria which is the site of the an ongoing civil conflict.

The domain specifically imitates “Rojava Network,” a social media outlet that provides news coverage and political analysis of the region, often in support of Kurdish operations.

Hermit has also been deployed in Italy in 2019. A document released by the Italian lower house last year, reportedly suggests that the spyware was used in an anti-corruption operation.

How Does It Compare to Pegasus?

Hermit is potentially more dangerous than Pegasus since it has more control over the device.

It can run on all Android versions and checks the version of the device running the app at various times "in order to adapt its behavior to the version of the operating system," researcher Paul Shunk told TechCrunch.

This feature makes Hermit stand out from other app-based spyware. It even performs a series of checks to ensure that it isn’t being analysed.

(With inputs from TechCrunch)

(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)

Published: undefined

ADVERTISEMENT
SCROLL FOR NEXT