The most recent sophisticated malware to make headlines is called “Hermit,” and it’s said to have targeted Android and iPhone devices in Italy and Kazakhstan. The Lookout, a cybersecurity company located in San Francisco, was the first to discover Hermit’s deployment. The spyware was created by an Italian vendor named RCS Lab. Then, last week, Google’s Threat Analysis Group (TAG) published a thorough blog post outlining how they thought Hermit was utilised to target smartphones.
Hermit is malware similar to NSO Group’s Pegasus. Once installed, it has the ability to make unauthorised calls, record audio on the device, and do a variety of other unauthorised tasks. Lookout claims that the malware is capable of stealing contacts, calendar events, bookmarks and searches from saved account emails. Additionally, it has the ability to snap photographs of the device, steal data such as information about the kernel, model, manufacturer, OS, security patch, phone number, etc. On a hijacked phone, it may also download and install APK files, which are the programme software files for Android.
The malware can also read alerts, upload files from the device, and take screenshots of the display. According to research by Lookout, an Android system’s root or “privilege” access may be used to delete applications like Telegram and WhatsApp. Researchers claim that malware has the ability to secretly delete and reinstall Telegram. The reinstalled version, however, is probably a hacked one. The old app’s data may likewise be stolen by it. The user may be prompted to reinstall WhatsApp using the Play Store for WhatsApp.
Hermit can therefore manage and monitor data from all important applications once it has been installed on a phone.
Licensing costs for sophisticated spyware like Hermit and Pegasus cost millions of dollars, and these are not straightforward operations. It differs from typical malware that targets normal users. Furthermore, it appears that complicated processes were utilised in the instance of Hermit. All efforts, according to Google’s TAG team, began with a special URL given to the victim’s phone. The website installed the programme on both Android and iOS when the user clicked.
As already said, Hermit is not a typical spyware. According to Lookout’s investigation, “a national government organisation is probably behind the effort” in Kazakhstan. Google added that it has located and informed all Android victims in Kazakhstan and Italy. Additionally, it claimed that all Firebase projects used to command and control the campaign had been deactivated and that Google Play Protect had undergone adjustments.
Lookout claims to have observed this being used in Syria. Documents in Italy revealed that it had been abused during an anti-corruption operation.
The use of surveillance tools by the government is also strongly condemned in Google’s blog post, which notes that these tools are frequently “used by governments for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers, and opposition party politicians.”
According to a Reuters story, RCS Labs has denied any wrongdoing and asserted that its goods and services adhere to European regulations and aid in criminal investigations.
