Google has alerted an unspecified number of Android phone users that they have been infected with a recently spotlighted spyware named Hermit. “We have identified victims in Kazakhstan and Italy”Google’s Threat Analysis Team (TAG) said in a blog post.
Unlike the Pegasus spyware, developed by NSO Group, which had “zero click” vulnerabilities on iPhone (the possibility of infecting a device without the user having done anything), the compromises observed by Google in Hermit’s case begins by sending a link to the victims.
The latter invites them to install an application pretending to be either a tool developed by a telephone operator or a messaging application. In some cases, according to Google, the Hermit user seeking to infect someone benefits from the complicity of a telephone company to disable the network of his target, and the phishing message invites him to reestablish his connection by passing through the infected application.
Lots of potentially stolen information
Whether on iOS or Android, Hermit uses different methods to make the victim install the app without going through the official stores (App Store and Google Play Store). Once nested in the telephone system, Hermit can then access a certain amount of personal information. On Android, for example, the application asks for permissions to activate the camera and microphone, read SMS, etc., among other things.
The new information published by Google comes a week after the publication by the specialized company Lookout of a long report on Hermit, which is also based on the discovery of infected victims in Kazakhstan, but also in the northeast of the Syria, where Kurdish populations live.
Google and Lookout believe that this spyware is developed by the Italian company RCS Lab, a company which, like many others, sells surveillance technologies to governments, police and intelligence services. On its site, RCS claims to have subsidiaries in Spain and France. “RCS is the European leader in lawful interception services, with more than 10,000 targets processed daily in Europe alone”, continues the company. The fact that Hermit sometimes relies on the complicity of telecommunications operators to infect its targets also corroborates the trail of a tool used by state actors.
Former partner of Hacking Team
As Lookout points out, documents released by WikiLeaks suggest that RCS Lab was, in the early 2010s, a partner of another controversial Italian company called Hacking Team. The spyware developer, whose emails were hacked and released by an activist in 2015, has been accused of selling surveillance technology to authoritarian countries, among other things.
In exchanges of e-mails dated 2012, we can for example read discussions between representatives of Hacking Team and RCS, the first company offering the second to play the role of reseller for a potential customer: an information service Pakistani. In this same exchange, RCS offers to market one of Hacking Team’s tools to a government client in Turkmenistan. “You have the green light to present and promote our solution to the end user in Turkmenistan”wrote for example an important executive of Hacking Team.
In 2016, the specialized site Motherboard got hold of a presentation made by RCS Lab to one of its customers for its own surveillance technology, at the time called Mito3.
Internet giants like Google and Apple are watching the surveillance industry closely, as these companies are constantly looking for security holes in Android and iOS phones, in order to keep selling surveillance tools to their customers. In May, Google’s Threat Analysis Group claimed to actively monitor nearly 30 companies selling spyware technologies.