Forensic evidence points to the work of Italian and Syrian spyware experts serving state-sponsored threat actors.

A new enterprise-grade Android spyware is being distributed within the borders of Kazakhstan and possibly in Italy and north-eastern Syria—via SMS messages from cybercriminals impersonating legitimate sources such as telecommunications companies or smartphone manufacturers.

Recipients who click on the URLs in the SMS are led to legitimate-looking webpages of the brands being impersonated, where malicious activities can be initiated in the background, according to theories by the cyber researchers from Lookout, Inc who discovered the spyware.

Dubbed Hermit, the Android-based ‘surveillance-ware’ is a modular malware that hides its malicious capabilities in packages downloaded after it has been deployed. Researchers were able to obtain and analyze 16 of the 25 known modules which enable Hermit to exploit a rooted device, record audio and make and redirect phone calls, as well as collect data such as call logs, contacts, photos, device location and SMS messages.

According to forensic clues, Hermit was likely developed by Italian spyware vendor RCS Lab S.p.A. and Tykelab Srl, the latter a telecommunications solutions firm that may be operating as a front company. RCS Lab, a developer with known past dealings with countries such as Syria, operates in the same market as Pegasus developer NSO Group Technologies and Gamma Group, which created FinFisher. This discovery appears to mark the first time that a current client of RCS Lab’s mobile spyware has been publicly identified. 

Said Justin Albrecht, Threat Intelligence Researcher, Lookout: “This discovery gives us an in-depth look into a spyware vendor’s activities and how sophisticated app-based spyware operates. Based on how customizable Hermit is, including its anti-analysis capabilities and even the way it carefully handles data, it’s clear that this is well-developed tooling designed to provide surveillance capabilities to state-sponsored customers. What’s also interesting is that we were able to confirm Kazakhstan as a probable current customer of RCS Lab. It’s not often that you are able to identify a spyware vendor’s clientele.”