Google's Threat Analysis Group (TAG) has revealed a sophisticated spyware activity involving ISPs (internet service providers) aiding in downloading powerful commercial spyware onto users' mobile devices. The spyware, dubbed Hermit, is reported to have government clients much like Pegasus.
Italian vendor RCS Labs developed Hermit. The spyware was spotted in Kazakhstan (to suppress protests against government policies), Italy (to investigate those involved in an anti-corruption case), and Syria (to monitor its northeastern Kurdish region), all deployed by their respective governments.
Hermit affects Android and iOS devices and is described as a modular spyware. This means it can download pieces of itself (modules) for additional functionalities, making it customizable to suit client needs, from a C2 (command and control) server.
Unlike NSO's Pegasus, Hermit is not as stealthy. But at its core, it functions like any government-grade spyware. It can read SMS and chat messages, view passwords, intercept calls, record calls and ambient audio, redirect calls, and pinpoint precise locations of victims.
Hermit also roots all infected Android devices, giving itself deeper access to phone features and user data. On iOS, Hermit is packed with six exploits, two of which were targeting zero-day vulnerabilities. According to Google's report, these are the following exploits:
- CVE-2018-4344 internally referred to and publicly known as LightSpeed.
- CVE-2019-8605 internally referred to as SockPort2 and publicly known as SockPuppet
- CVE-2020-3837 internally referred to and publicly known as TimeWaste.
- CVE-2020-9907 internally referred to as AveCesare.
- CVE-2021-30883 internally referred to as Clicked2, marked as being exploited in-the-wild by Apple in October 2021.
- CVE-2021-30983 internally referred to as Clicked3, fixed by Apple in December 2021.
A Hermit spyware campaign starts off as a seemingly authentic messaging app users are deceived into downloading. A government actor also poses as a mobile carrier over SMS—sometimes with the help of the target's ISP—to socially engineer targets into downloading the spyware masquerading as a tool to "fix" their internet connection.
Both Apple and Google have already notified their users regarding this spyware, and then some. Apple revoked the legitimate certificates Hermit abused to reside on iPhone devices, while Google beefed up its Google Play Protect security app to block Hermit from running. Google also pulled the plug on Hermit's Firebase account, which it uses to communicate with its C2.
When questioned by TechCrunch, RCS Labs provided a statement, which we have replicated in part below:
RCS Lab exports its products in compliance with both national and European rules and regulations. Any sales or implementation of products is performed only after receiving an official authorization from the competent authorities. Our products are delivered and installed within the premises of approved customers. RCS Lab personnel are not exposed, nor participate in any activities conducted by the relevant customers.
Providers of government-grade spyware like Pegasus and Hermit always claim to have legitimate reasons for creating malware. But as we've seen and heard from countless reports, they are mainly used to spy on journalists, activists, and human rights defenders.