While NSO Group’s Pegasus spyware is perhaps the most well-known surveillance weapon used by repressive governments against civil society, a recently discovered powerful mobile reconnaissance malware dubbed Hermit has come to light, described by an Italian developer as a “legitimate eavesdropping tool”. is touted.
At the upcoming SecTor 2022 conference in Toronto, Christoph Hebeisen, Director of Security Intelligence Research at Lookout, and Paul Shunk, the firm’s security researcher, will outline Hermit’s surveillance capabilities against the backdrop of the growing nation-state market and Hermit’s use of these shadowy applications.
So far, Lookout has observed that the Hermit spyware was deployed by the government of Kazakhstan following the violent crackdown on protests with the help of Russian forces; Application by the Italian law enforcement authorities; and the operation against the Kurdish minority in the conflict-torn north-east Syrian region of Rojava.
Hermit: Hide 1 animal under Pegasus
Researchers will begin their October 5 session, entitled “A Hermit Out of Its Shell,” with a discussion of where Hermit fits into the mobile spyware picture. It was developed by an Italy-based vendor called RCS Lab and an affiliated company called Tykelab Srl, according to Hebeisen, and is typically distributed on both Android and iOS platforms by masquerading as legitimate mobile apps and not in attacks designed to Exploit software vulnerabilities.
“There is a diverse market for this; NSO Group is certainly placed at the top of the field and everyone knows the name because they use zero-click exploits to deliver their surveillance malware onto the device without the user being aware,” Hebeisen told Dark Reading. “But then there’s a bunch of these weapons right below that are distributed as apps, and they’re very effective, although they require a little bit of social engineering to get onto a target’s device. This is where Hermit plays.”
Regarding his abilities, he adds that Hermit has a stroke for information vacuuming. In addition to “regular” spyware fares like tracking user locations, accessing device microphones and cameras, eavesdropping on calls and text messages, and stealing media files, it also offers the ability to sniff out every scrap of content and data found in located in any of the apps that users have installed, including encrypted messaging apps.
“It’s a very sophisticated surveillance tool,” says Hebeisen. “It completely takes over the operating system and can spy on literally everything. Given how deeply phones have penetrated our lives these days and especially all of our private activities, this is practically a perfect tool to find out everything an attacker ever wanted to know from someone.”
He adds that under the hood, the malware is designed to be agile and flexible.
“Hermit has a very company-oriented structure because it has a modular structure,” explains Hebeisen. “So we suspect that this might actually be part of the business model where they can sell different levels of this monitoring kit by including or excluding certain modules.”
From a broader perspective, Hermit shows an uncomfortable reality when it comes to next-gen mobile malware: “Although mobile operating systems are much more modern than many of the desktop systems, and many more security controls are already in place, it’s still possible for attackers to turn on.” get past them and then actually use the legitimate functionality of the operating system against targets,” Hebeisen says.
Nation-State Spyware: A Growing Threat
It should be noted that companies operating in this gray area, including RCS Labs, NSO Group, FinFisher inventor Gamma Group, Israeli company Candiru, and Russia’s Positive Technologies, claim they only contact legitimate intelligence and law enforcement agencies to sell. However, this is a claim that many reject, including the US government, which has recently sanctioned several of these organizations for contributing to human rights abuses and targeting journalists, human rights defenders, dissidents, opposition politicians, business leaders and others.
Nonetheless, Hebeisen notes that more and more mobile spyware tools are being developed for the burgeoning so-called “lawful intercept” market, indicating continued demand. If one gets knocked out, “there are a lot of other companies waiting in the wings just waiting to take over,” he says.
The demand makes geopolitical sense as nations move away from kinetic conflict.
“Unlike physical weapons, where you have to deal with all kinds of export controls if you want to sell them to regimes known for human rights abuses, it seems much easier to circumvent when you’re dealing with surveillance.” Tools that are basically just another type of weapon in combat,” Hebeisen explains.