Sophisticated Hermit Mobile Spyware Heralds Wave of Government Surveillance

While NSO Group’s Pegasus spyware may be the most high-profile surveillance weapon used by repressive governments against civil society, a newly discovered powerful mobile reconnaissance malware called Hermit has come to light, which has been touted by an Italian developer as a “lawful wiretapping” tool.

At the upcoming SecTor 2022 conference in Toronto, Christoph Hebeisen, director of security intelligence research at Lookout, and Paul Shunk, security researcher at the firm, will outline Hermit’s surveillance capabilities against the backdrop of the growing nation-state market and use of these shadowy applications.

So far, Lookout has observed the Eremit spyware used by the government of Kazakhstan following the violent crackdown on protests with the help of Russian armed forces; used by Italian law enforcement; and be deployed against the Kurdish minority in the conflict-ridden northeastern Syrian region of Rojava.

Hermit: Hides 1 level below Pegasus

The researchers will kick off their Oct. 5 session, titled “A Hermit Out of Its Shell,” with a discussion of where Hermit fits into the mobile spyware picture. It was developed by an Italian-based vendor called RCS Lab and a related company called Tykelab Srl, according to Hebeisen, and is usually distributed on both Android and iOS platforms by masquerading as legitimate mobile apps rather than in attacks that exploit software vulnerabilities .

“There is a varied market for these; NSO Group is definitely at the top of the field and everyone recognizes the name because they use zero-click exploits to get their surveillance malware onto the device without the user even noticing ,” Hebeisen tells Dark Reading. “But then there are a number of these weapons right below that that are distributed as apps, and they’re very effective, even if they require a little bit of social engineering to get onto a target’s device. That’s where Hermit comes into play.”

As for its capabilities, he adds that the Hermit packs an info-vacuum punch. In addition to “standard” spyware fare like tracking users’ locations, accessing device microphones and cameras, eavesdropping on calls and texts, and stealing media files, it also offers the ability to sniff out every scrap of content and data placed in any of the apps users have installed, including encrypted messaging apps.

“This is a very sophisticated surveillance tool,” says Hebeisen. “It completely takes over the operating system and can spy on literally everything. Given how deeply ingrained in our lives phones are these days and especially our all our private activities, this is practically a perfect tool to find out anything an attacker ever wanted to know about anyone.”

He adds that under the hood, the malware is designed to be nimble and flexible.

“Hermit is built in a very business-like way, being modular,” explains Hebeisen. “So we suspect that may actually be part of the business model where they can sell different levels of this surveillance kit by including or excluding certain modules.”

From a broader perspective, Hermit presents an unpleasant reality when it comes to the next generation of mobile malware: “Despite the fact that mobile operating systems are much more modern than many of the desktop systems and have many more security controls already in place, it is still possible for attackers to get past them and then actually use the legitimate functionality of the operating system against targets,” Hebeisen says.

Nation-state spyware: a growing threat

It should be noted that companies operating in this gray area, including RCS Labs, NSO Group, FinFisher creator Gamma Group, Israeli company Candiru and Russia’s Positive Technologies, maintain that they only sell to legitimate intelligence and enforcement agencies. However, it is a claim that many reject, including the US government, which recently sanctioned several of these organizations for contributing to human rights abuses and the targeting of journalists, human rights defenders, dissidents, opposition politicians, business leaders and others.

Nevertheless, Hebeisen notes that more and more mobile spyware tools are being developed for the booming so-called “legal eavesdropping” market, indicating continued demand. When one gets knocked down, “there are lots of other companies standing in the wings just waiting to take over,” he says.

The requirement makes sense from a geopolitical perspective as nations move away from kinetic conflict.

“Unlike physical weapons, for which you have to deal with all kinds of export controls, if you want to sell them to regimes known for human rights abuses, it seems much easier to get around that when you’re dealing with surveillance tools. , which is basically just another set of weapons in the fight,’ explains Hebeisen.


Leave a Reply

Your email address will not be published.