Security researchers at Lookout have released new details about Android spyware deployed in attacks by national governments, with victims in Kazakhstan, Syria and Italy.
The spyware, known as “Hermit,” was first detected in Kazakhstan in April, just months after the Kazakh government violently suppressed protests against government policies. According to Lookout, a Kazakh government entity was likely behind the most recent campaign. The spyware has also been deployed in the northeastern Kurdish region of Syria and by Italian authorities as part of an anti-corruption investigation.
By looking into the Hermit code, Lookout concluded that it is modular – allowing the spyware to download additional components as needed. Hermit uses various modules to collect call logs, record audio, redirect phone calls and collect photos, messages, emails and the device’s location. However, what makes it different is the ability to root phones by pulling in the files from its command and control server needed to break the device’s protections and allow near-unfettered access to a device without user interaction.
Lookout researcher Paul Shunk said the malware can run on all Android versions. “Hermit checks the Android version of the device running the app at various times in order to adapt its behavior to the version of the operating system,” he said, adding that this makes it “stand out from other app-based spyware.”
It is believed Hermit is distributed by an SMS spoofed to look like the message is coming from a legitimate source, such as a telecom company or a major handset maker, to trick the victim into downloading the malicious app.
Lookout added there was evidence of a Hermit-infected iOS app that abused Apple enterprise developer certificates to sideload its malicious app from outside of the app store. However, they were not able to obtain a sample of the iOS spyware.
According to Lookout, there is evidence suggesting that Hermit has been developed by Italian spyware vendor RCS Lab and Tykelab, a telecom solutions company.
Unfortunately, Hermit is just one of several known government-grade spyware known to be used by authorities to conduct targeted phone surveillance. Similar malware has been used by governments to spy on their critics — including journalists, activists and human rights defenders.
As a regular user, you should be careful what you click on and what kind of attachments you open. That is the way most of today’s malware gets into the users’ devices. So make sure to think and re-think before clicking on anything online. And, of course, use a VPN. 😉