Android Spyware Hermit Discovered in Targeted Attacks

The commercial-grade surveillance software initially was used by law enforcement authorities in Italy in 2019, according to a new report.

Researchers have discovered an enterprise-grade Android family of modular spyware dubbed Hermit conducting surveillance on citizens of Kazakhstan by their government.
Lookout Threat Lab researchers - who spotted the spyware - surmise that the secretive Italian spyware vendor RCS Lab developed it and say Hermit was previously deployed by Italian authorities in a 2019 anti-corruption operation in Italy. The spyware also was found in northeastern Syria, home to the countrys Kurdish majority and a site of ongoing crises, including the Syrian civil war.
Android devices have been abused with spyware
in the past
; Sophos researchers uncovered
new variants of Android spyware
linked to a Middle Eastern APT group back in November 2021. More recent
analysis from Google TAG
indicates at least eight governments from across the globe are buying Android zero-day exploits for covert surveillance purposes.
Mike Parkin, senior technical engineer at Vulcan Cyber, says spyware is a tool used by many actors worldwide, including criminal organizations, state or state-sponsored threat actors, national security, and law-enforcement organizations following their own mandates.
Regardless of who is using it or what agenda they are working toward, these commercial- grade spyware tools can seriously threaten peoples personal privacy, he says.
The highest profile spyware case in recent memory was the
discovery of Pegasus
, a legal surveillance software developed by Israeli company NSO Group. The news caused an international furor after it was found covertly installed on iOS and Android mobile phones belonging to human rights activists, journalists, and high-ranking members of governments.
Hermit first gets installed on a targeted device as a framework with minimal surveillance capability. Then it can download modules from a command-and-control (C2) server as instructed and activate the spying functionality built into these modules.
This modular approach masks the malware from automated analysis of the app and makes manual malware analysis significantly harder. In addition, it allows the malicious actor to enable and disable different functionalities in their surveillance campaign or the capabilities of a target device. Hermit can also alter its behavior as needed to evade analysis tools and processes.
The modular design might also be part of the business model of the software vendor, allowing them to sell individual spying features as value-add line items, explains Paul Shunk, security researcher at Lookout, which published
a report on Hermit
today.
Shunk says the overall design and code quality of the malware stands out compared with many other samples he has seen.
It was clear this was professionally developed by creators with an understanding of software engineering best practices, he says. Beyond that, it is not very often we come across malware [that] assumes it will be able to successfully exploit a device and make use of elevated root permissions.
The discovery of Hermit adds another puzzle piece to the picture of the secretive market for lawful intercept surveillance tools, he says.
As in the cases of NSO, Cytrox, and other vendors, discovery of their customers usually exposes their claim that their product is only used for legitimate purposes as at least partially untrue, Shunk says.
One of the Hermit samples Lookout analyzed used a Kazakh language website as its decoy.
And the main C2 server used by the app was just a proxy, with the real C2 being hosted on an IP from Kazakhstan.
The combination of the targeting of Kazakh-speaking users and the location of the back-end C2 server is a strong indication that the campaign is controlled by an entity in Kazakhstan, Shunk says.
Lookout says an Apple iOS version of the spyware exists as well, but the research team was unable to obtain a sample to analyze.
Meanwhile, another Android-based malware family reared its head this week in the form of Malibot, which is targeting online banking customers in Spain and Italy with the capability to steal credentials and crypto wallets. The malware was discovered by F5 Labs while the security company was tracking the mobile banking Trojan FluBot.
The malware consists of two campaigns: Mining X, which presents a QR code that leads to the malware Android Package Kit, and TheCryptoApp, which attempts to dupe users into downloading a fake version of the popular cryptocurrency tracker app available on the Google Play Store.
Its also able to steal or bypass multifactor authentication codes and trick victims into downloading the malware either via a direct SMS phishing message or via fake websites theyre lured to.
This is certainly one to pay attention to and F5 expects to see a broader range of targets as time goes on, especially given the versatility of the malware could, in principle, be used for a wider range of attacks than stealing credentials and cryptocurrency, F5 warns in a
blog post
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Android Spyware Hermit Discovered in Targeted Attacks