Hermit Previews Sophisticated Spyware To Come
The appropriately named Hermit enterprise-grade Android surveillanceware currently used by the Kazakhstan government within its borders—and deployed to Italy and Syria—portends the sophistication of spyware to come.
“The Hermit app that initially is installed on a device is a framework with minimal surveillance capability built into the app,” said Paul Shunk, a Lookout security researcher whose team discovered Hermit.
“It has the ability to download modules from a command-and-control server as instructed and then to activate the functionality built into these modules,” said Shunk. “This approach ensures that automated analysis of the app cannot find any of the spying functionality and makes even manual analysis significantly harder.”
The spyware is likely the brainchild of Italian vendor RCS Lab S.p.A. and telecom solutions firm Tykelab Sri, which is believed to be a front company. Hermit hides malicious capabilities in packages that are downloaded after the spyware has been deployed.
Lookout researchers obtained and examined 16 of 25 known modules and their discovery is believed to be the first time one of RSC Lab’s current clients has been outed publicly. The samples were detected in April, four months after the Kazakhstan government suppressed protests against its policies.
“The modules, along with the core malware’s permissions, enable Hermit to exploit a rooted device, record audio and make and redirect phone calls, as well as collect data such as call logs, contacts, photos, device location and SMS messages,” according to a release.
Lookout researchers believed the spyware is distributed via SMS messages that appear to come from a legitimate source. “The malware samples analyzed impersonated the applications of telecommunications companies or smartphone manufacturers,” the release said. “Hermit tricks users by serving up the legitimate webpages of the brands it impersonates as it kickstarts malicious activities in the background.”
The modularity “allows the malicious actor to enable and disable different functionalities in their surveillance campaign or depending on the capabilities of a target device,” said Shunk. “The modular design might even be part of the business model.”
“The overall design and code quality of the malware stood out compared to many other samples we see,” Shunk said. “It was clear this was professionally developed by creators with an understanding of software engineering best practices.”
Beyond that, he said, “it is not very often we come across malware which assumes it will be able to successfully exploit a device and make use of elevated root permissions.”
Spyware is a tool of many actors worldwide—from criminal organizations and state or state-sponsored threat actors to national security or law enforcement organizations “following their own mandates,” noted Mike Parkin, senior technical engineer at Vulcan Cyber. “Regardless of who is using it or what agenda they are working toward, these commercial grade spyware tools can seriously threaten people’s personal privacy.”
In this case, Lookout researchers uncovered some clues about who might be behind the use of Hermit. “One of the Hermit samples we analyzed used a Kazakh language website as its decoy. We further identified that the main command-and-control (C2) server used by this app was just a proxy, with the real C2 being hosted on an IP from Kazakhstan,” said Shunk. “The combination of the targeting of Kazakh-speaking users and the location of the backend C2 server is a strong indication that the campaign is controlled by an entity in Kazakhstan.”
Hermit was used by the Italian government in 2019 in an anti-corruption operation. And Lookout also “found evidence suggesting that an unknown actor used it in northeastern Syria, a predominantly Kurdish region that has been the setting of numerous regional conflicts.”
Image: Tumisu
https://pixabay.com/photos/spying-eye-spy-surveillance-4270361/
(Pixabay license)
