Cybersecurity firm Lookout has uncovered a new modular enterprise-grade Android malware for surveillance (so-called surveillanceware) used in Kazakhstan by its government. The researchers have been tracking this malware, which they named Hermit, since 2019, but the latest samples were detected earlier this year.
Three years ago, Italian authorities used Hermit in an anti-corruption operation. The researchers also found evidence suggesting that an unknown actor used it in Kurdish-speaking region of Syria called Rojava. In a recent campaign detected by Lookout in April 2022, the malware was used by Kazakhstan's government. There is also an iOS version of Hermit but Lookout couldn’t obtain its sample for analysis.
Allegedly, the Hermit malware was developed by the Italian company RCS Lab S.p.A and Tykelab Srl, which is known for selling spyware.
According to the analysis, “Hermit is a highly configurable surveillanceware with enterprise-grade capabilities to collect and transmit data.” The malware is able “to exploit a rooted device, record audio and make and redirect phone calls, as well as collect data such as call logs, contacts, photos, device location and SMS messages.”
The infection chain allegedly begins with SMS messages that trick potential victims into installing seemingly legitimate apps from Samsung, Vivo, and Oppo.
“The website the malware used to mask its malicious activity is an official Oppo support page in the Kazakh language that has since gone offline. We also found samples that impersonate Samsung and Vivo,” reads the report.
When opened, these messages serve up the legitimate webpages of the brands but also start malicious activities in the background. Hermit abuses its permissions to accessibility services and other core components of the operating system (contacts, camera, calendar, clipboard, etc.) for most of its malicious activities.