Hermit: Android and iOS spyware pushed by governments

New spyware has been discovered on iOS and Android. Capable of stealing personal data stored on a phone, the application would have benefited from the collaboration of certain authoritarian governments to deploy.

The web is a dangerous place, especially when surfing on mobile. Cybersecurity engineers from Google discovered the existence of a new spyware capable of infecting Android and iOS phones. Nicknamed Hermit, this piece of malicious code is capable of recording audio calls, reading messages or leaking your GPS location.

Legit app tunes

Don’t panic, though, according to researchers at Google and by Lookout, the software was specifically designed to target targets in Kazakstan, Syria and Italy. But the capabilities of this spyware as well as how it works make it a perfect example of the dangers of modern digital espionage.

Hermit would have a priori was developed by an Italian company (based in Milan to be exact) named RCS Lab. Known for many years, the company has already collaborated with intelligence services in Pakistan, Chile or Vietnam to surreptitiously collect information on populations. It is therefore not the first time that the company has worked with more or less authoritarian regimes. Hermit’s infection methods here also suggest that some of the attacks were carried out with the blessing of the powers that be.

Hermit infects Android and iOS mobiles by pretending to be a legitimate application from a secure source, when in reality the application will take advantage of several security vulnerabilities to suck up personal data. It takes advantage of the possibility of installing applications from sources other than Apple and Google stores to infect the targeted mobiles. In less discreet cases, a link claiming to help the victim recover their suspended Facebook or WhatsApp account actually pointed to the malicious application. Or rather to an official application, but infested with bits of malicious code.

Advertising, your content continues below

Collaboration with local ISPs

And in some cases, RCS Lab would have been even smarter. According to security researchers from Lookout and Google, the company has worked with some local operators to deploy its spyware. Some victims have seen their access to mobile Internet cut off by their access provider before receiving a message encouraging them to download an application allowing them to solve the problem. Obviously, the application that restored access to 4G also installed lots of little eavesdroppers on the victims’ phones.

The collaboration with certain operators therefore suggests that government bodies could be in charge. It would not be the first time that this has happened since the Italian authorities would also have used it in 2021 as part of an anti-corruption investigation. Google said it warned affected users and Apple said it took steps to protect its iPhones. RCS Lab for its part swears that it “exports its products in compliance with national and European rules and regulations after having received official authorization from the competent authorities“.

The case is reminiscent of that of NSO Group and its famous spyware Pegasus, which has also been used by several governments around the world. As Google worries, “the commercial spyware industry is thriving and growing at a significant rate. This situation should be of concern to all Internet users“. In the meantime, do not install any application that is offered to you on the web.

Advertising, your content continues below

Advertising, your content continues below