Hermit, not Pegasus, is reportedly the new Android spyware being used by governments to target high-profile officials. Business executives, human rights activists, journalists, academics, and government officials are among those who have been targeted. The spyware, which is installed in the target’s system via SMS, was first discovered in Kazakhstan. Cases from Syria and Italy eventually emerged a few days later.
“Based on our analysis, the spyware, which we named ‘Hermit’ is likely developed by Italian spyware vendor RCS Lab and Tykelab Srl, a telecommunications solutions company we suspect to be operating as a front company,” the researchers said in a blog post.
Hermit was first discovered in Kazakhstan in April, according to security researchers Lookout. It was discovered months after the Kazakh government suppressed anti-government protests. The spyware was also used to target high-profile individuals in Syria’s northeastern Kurdish region and Italy as part of an anti-corruption investigation. Lookout discovered malware that can run on all Android versions.
“Hermit checks the Android version of the device running the app at various times in order to adapt its behavior to the version of the operating system, it stands out from other app-based spyware,”Lookout researcher Paul Shunk told the TechCrunch via an email.
Researchers discovered that malicious Android apps are distributed via text messages. It’s more like a phishing attack in which the user is duped into thinking the message is from a legitimate source. It mimics apps from telecom companies and smartphone manufacturers such as Samsung and Oppo. The apps appear so real that users frequently end up downloading them to their phones. Lookout said it was unable to detect an iOS spyware of similar nature because it is currently targeting Android users.
“We theorize that the spyware is distributed via SMS messages pretending to come from a legitimate source. The malware samples analyzed impersonated the applications of telecommunications companies or smartphone manufacturers. Hermit tricks users by serving up the legitimate webpages of the brands it impersonates as it kickstarts malicious activities in the background,” the blog read.