Google warns about Hermit, a powerful spyware for Android and iPhone

You don’t need to look suspiciously at your smartphone, but know that it is subject to great danger. Google is warning Android users about Hermit , a sophisticated spyware that, as such, can collect various types of device data. And it gets worse. The company discovered that there are also iPhone versions.

In fact, the first alerts were given by security analysts at the company Lookout. They found that Hermit can capture various types of data such as phone call logs, photos, SMS messages, emails, log files and contact list.

Sophisticated as it is, the spyware can also record audio from the environment, redirect calls and even get the smartphone’s geographic location, all without the user realizing it.

Recommended Read:

Malware reports sometimes sound like “storms in a teapot”, given how little damaging power many of these pests have. But that’s not the case here. A week after Lookout’s alert , Google released a statement confirming everything that had already been reported.

In short, the problem is more serious than it seems.

Espionage in Kazakhstan and Italy

Lookout reports that Hermit was developed by RCS Lab, an Italian software company created around 30 years ago. The development of the spyware would also have had the support of Tykelab SRL, a telecommunications company that, in Lookout’s view, could be a front operation.

Why such sophistication? Both Lookout and Google explain that Hermit has been used in government espionage. Targets have been identified in Kazakhstan and Italy. There are also suspected targets in Syria.

The fact that spyware has only just been reported doesn’t mean it’s a recent “fix”. Lookout reports that, in Italy, authorities allegedly used Hermit in 2019, during an anti-corruption operation.

How Hermit works

For those asking how Hermit works. Don’t be surprised if this story sounds familiar to you. To some extent, Hermit resembles Pegasus , spyware that has been used against journalists, business people and human rights activists, for example.

Because of this, it is no exaggeration to say that RCS Lab is as obscure a software developer as the NSO Group (the organization behind Pegasus).

Hermit appears to have a less sophisticated contamination mechanism than Pegasus, albeit an efficient one. Lookout believes the spyware is distributed via a link in SMS messages posing as notices from telecommunications companies or cell phone manufacturers.

In this regard, Google claims to have found evidence that some targets had their internet connection cut off. They would later receive a link to a carrier tool that promised to restore connectivity but actually installed spyware.

Presumably this is an effective way to contaminate the smartphone. When impersonating an alert from the operator or the cell phone manufacturer, the message is intended to induce the user to grant authorization for the supposed solution to be installed on the device.

Fake links were found on behalf of companies such as Oppo, Samsung and Vivo (the cellphone maker, not the operator).

There is also evidence that spyware does not act in the same way on all victims. Lookout explains that Hermit has at least 25 known modules, each with different features. Therefore, modules can be combined to perform actions designed specifically for each victim.

Read also>> How to save photos to the cloud on mobile or PC

Affects Android more, but there is an iOS version

As a reaction, Google has warned users whose devices accuse Hermit contamination. In addition, the company claims to have implemented changes to Google Play Protect (a security feature that verifies applications) to increase protection against Hermit and other spyware.

All this makes it clear that the main targets are Android users. But Google explains that there are also versions of the spyware for iOS, although its reach on iPhones seems to be smaller compared to Android.

According to Google researchers, on iOS, Hermit exploits at least six security holes to capture user data.

To contaminate the iPhone, the attackers would have distributed a fake app, but similar to My Vodafone. In order for the bogus app to be approved, RCS Labs apparently signed up for Apple’s Enterprise Developer Program through what would have been another shell company, 3-1 Mobile SRL.

Other forms of contamination are not ruled out.

There’s no reason to fuss

The matter is serious, but there is no reason to panic. First, because spyware is targeted, that is, it does not spread with a virus (making as many victims as possible). Second, because measures have already been taken.

In addition to the measures already adopted by Google, Apple has provided fixes for all exploited flaws for some time.

Anyway, the message remains. Taking care of incoming links in messages and keeping the operating system and applications up to date remain important security practices.

Contacted by TechCrunch , RCS Lab commented that it “exports its products in accordance with national and European rules and regulations”. The company further stated that the implementation of its products is carried out after authorization from the competent authorities and that it does not engage in any activity conducted by its customers.