At the upcoming SecTor 2022 conference in Toronto, Christoph Hebeisen, director of security intelligence research at Lookout, and Paul Shunk, security researcher at the firm, will lay out Hermit’s surveillance capabilities, against the backdrop of the growing nation-state market and use of these shadowy applications.
So far, Lookout has observed the Hermit spyware being used by the government of Kazakhstan after the violent suppression of protests with the help of Russian armed forces; being applied by Italian law enforcement; and being deployed against the Kurdish minority in the conflict-plagued northeastern Syrian region of Rojava.
Hermit: Hiding Out 1 Tier Below Pegasus
The researchers will kick off their Oct. 5 session, entitled “A Hermit Out of Its Shell,” with a discussion of where Hermit fits into the mobile spyware picture. It was developed by an Italy-based vendor called RCS Lab and a related company called Tykelab Srl, according to Hebeisen, and is usually distributed on both Android and iOS platforms by masquerading as legitimate mobile apps rather than in attacks that exploit software vulnerabilities.
“There’s a variety of market for these; NSO Group is certainly placed at the top of the field, and everybody recognizes the name, because they use zero-click exploits to get their surveillance malware onto the device without the user even noticing anything,” Hebeisen tells Dark Reading. “But then there is a tier of these weapons just below that, which are distributed as apps, and they are very effective even though they require a little bit of social engineering to get onto a target’s device. That’s where Hermit plays.”
In terms of its capabilities, it adds that Hermit packs an info-vacuuming punch. In addition to “standard” spyware fare like tracking users’ locations, accessing device microphones and cameras, eavesdropping on calls and texts, and stealing media files, it also offers the ability to sniff out every scrap of content and data housed in any of the apps that users have installed, including encrypted messaging apps.
“This is a very sophisticated surveillance tool,” Hebeisen says. “It takes over the operating system completely and can spy on literally everything. Given how deeply ingrained into our lives phones are these days and especially our all of our private activities, this is practically a perfect tool to find out everything an attacker ever wanted to know about somebody.”
He adds that under the hood, the malware is designed to be agile and flexible.
“Hermit is built in a very enterprise way in that it’s modular,” Hebeisen explains. “So we suspect that might actually be part of the business model, where they can sell different tiers of this surveillance kit by including or excluding certain modules.”
From a broader perspective, Hermit showcases an uncomfortable reality when it comes to next-gen mobile malware: “Despite mobile operating systems being much more modern than many of the desktop systems and having many more security controls in place, it’s still possible for attackers to get past them and then actually use the legitimate functionality of the operating system against targets,” Hebeisen says.
Nation-State Spyware: A Growing Threat
It should be noted that companies operating in this gray space, including RCS Labs, NSO Group, FinFisher creator Gamma Group, Israeli company Candiru, and Russia’s Positive Technologies, maintain that they only sell to legitimate intelligence and enforcement agencies. That however is a claim that many reject, including the US government, which recently sanctioned several of these organizations for contributing to human rights abuses and the targeting of journalists, human rights defenders, dissidents, opposition politicians, business leaders, and others.
Nonetheless, Hebeisen notes that there are more and more mobile spyware tools being developed for the blossoming so-called “lawful intercept” market, indicating ongoing demand. When one is struck down, “there are plenty of other companies standing in the wings just waiting to take over,” he says.
The demand makes sense from the geopolitical perspective as nations move away from kinetic conflict.
“As opposed to physical arms, for which you have to deal with all kinds of export controls if you want to sell those to regimes that are known for human rights violations, it seems much to get around that when you’re dealing with surveillance tools, which are essentially just a different set of weapons in the fight,” Hebeisen explains.