An enterprise-grade monitoring software called Hermit It has been used by entities operating from Kazakhstan, Syria and Italy over the years since 2019, new research has revealed.
Lookout has attributed the spyware, which is equipped to target both Android and iOS, to an Italian company called RCS Lab SpA and Tykelab Srl, a telecommunications service provider it suspects is a front company. The San Francisco-based cybersecurity firm said it took over the campaign targeting Kazakhstan in April 2022.
Hermit is modular and comes with a plethora of features that allow it “to use a rooted device, record audio and make and redirect phone calls, as well as collect data such as phone logs, calls, contacts, photos, device location and text messages” Lookout researchers Justin Albrecht and Paul Shunk said in a new paper.
Spyware is believed to be distributed via SMS messages that trick users into installing seemingly harmless apps from Samsung, Vivo, and Oppo, which, once opened, load a fake company’s website while covertly activating the chain of destruction in background.
Like other Android malware threats, Hermit is designed to abuse its access permissions to accessibility services and other core operating system components (e.g. contacts, camera, calendar, clipboard, etc.) for most of its malicious activities .
Android devices have been targets of spyware in the past. In November 2021, the threat actor identified as APT-C-23 (aka Arid Viper) was linked to a wave of targeted user attacks in the Middle East with new variants of FrozenCell.
So last month, Google’s Threat Analysis Group (TAG) revealed that at least government-backed actors based in Egypt, Armenia, Greece, Madagascar, Cote d’Ivoire, Serbia, Spain and Indonesia are buying Android zero-day exploits for secret surveillance. campaigns.
“RCS Lab, a well-known developer that has been active for more than three decades, operates in the same market as the Pegasus developer NSO Group Technologies and Gamma Group, which created FinFisher,” noted the researchers.
“Collectively referred to as ‘lawful eavesdropping’ companies, they claim to only sell to customers with legitimate use of surveillance software, such as intelligence agencies and law enforcement. In fact, these tools have often been abused under the guise of national security to spy on businesses. leaders, human rights activists, journalists, academics and government officials. “
The findings come as the Israel-based NSO group is in talks to sell its Pegasus technology to US defense contractor L3Harris, the company that makes cell tracers Raie, raising fears that it could open the door for use by the forces. of the US order of the controversial hacking tool.
The German manufacturer behind FinFisher has courted its own troubles following 2020 raids by investigative authorities in relation to alleged violations of foreign trade laws by selling its spyware in Turkey without obtaining the required license.
In early March, it went out of business and declared insolvency, Netzpolitik and Bloomberg reported, adding that “the office was dissolved, employees were laid off and business activities ceased.”