Lookout Inc. discovered an enterprise-grade Android surveillanceware being used by the authorities operating within Kazakhstan's borders. Lookout researchers identified evidence of the spyware, called "Hermit," being used in Italy and northern Syria.
Researchers got a sample of "Hermit" in April 2022, four months after a series of violently suppressed nationwide rallies against government policies. The Hermit spyware was most likely built by RCS Lab S.p.A, an Italian surveillance firm, and Tykelab Srl.
The Hermit spyware was most likely produced by Italian surveillance vendor RCS Lab S.p.A and Tykelab Srl, a telecommunications solutions company accused of acting as a front company, according to Lookout.
In the same market as Pegasus creator NSO Group Technologies and Gamma Group, which invented FinFisher, is a well-known developer with previous interactions with governments such as Syria. This appears to be the first time that a modern RCS Lab mobile spyware client has been publicly disclosed.
The spyware is said to be spread by SMS messages that spoof users into installing what appear to be harmless apps from Samsung, Vivo, and Oppo, which, when launched, load a website from the impersonated company while silently initiating the kill chain.
Spyware has been seen to infect Android smartphones in the past. The threat actor APT-C-23 (aka Arid Viper) was linked to a series of attacks targeting Middle Eastern users with new FrozenCell versions in November 2021. Last month, Google's Threat Analysis Group (TAG) revealed that government-backed actors in Egypt, Armenia, Greece, Madagascar, Côte d'Ivoire, Serbia, Spain, and Indonesia are purchasing Android zero-day exploits for covert surveillance efforts.
As per Lookout, the samples studied used a Kazakh language website as a decoy, and the main Command-and-control (C2) server used by this app was a proxy, with the true C2 being located on an IP from Kazakhstan. "They call themselves 'lawful intercept' organizations since they claim to only sell to customers with legitimate surveillance purposes, such as intelligence and law enforcement agencies. Under the pretext of national security, similar technologies have been used to phish on corporate executives, human rights activists, journalists, academics, and government officials "as per the researchers.
The revelations came as the Israel-based NSO Group is rumored to be in talks to sell its Pegasus technology to US defense contractor L3Harris, which makes StingRay cellular phone trackers, raising concerns it could allow law enforcement to deploy the controversial hacking tool.