While NSO Group’s Pegasus spyware is perhaps the most publicized surveillance weapon used by repressive governments against civil society, a recently discovered powerful mobile reconnaissance malware dubbed Hermit has been discovered and exposed by an Italian developer as a “legal interception” tool.
See you next time SECTOR Conference 2022 In Toronto, Christoph Hebeisen, director of security intelligence research at Lookout, and Paul Shunk, security researcher at the company, will present Hermit’s surveillance capabilities, in the context of the growth of the market for nation states and the use of these obscure applications.
So far, Lookout has observed that the Hermit spyware was used by the government of Kazakhstan after the violent suppression of protests with the help of the Russian armed forces; enforced by Italian law enforcement agencies; and deployed against the Kurdish minority in Syria’s conflict-ridden northeast region of Rojava.
Hermit: Hide 1 level under Pegasus
Researchers will kick off their October 5 session, titled “A hermit out of his shell“, with a discussion of Hermit’s place in the mobile spyware picture. It was developed by an Italian vendor called RCS Lab and a related company called Tykelab Srl, according to Hebeisen, and is commonly distributed on mobile platforms. Android and iOS forms by impersonating legitimate mobile apps rather than in attacks exploiting software vulnerabilities.
“There is a varied market for these; NSO Group is certainly at the top of the field, and everyone recognizes the name, because they use no-click exploits to get their surveillance malware onto the device without the user even noticing anything,” Hebeisen told Dark Reading. form of apps, and they are very effective even if they require a bit of social engineering to gain access to a target’s device. This is where Hermit plays.”
In terms of abilities, he adds that Hermit packs an information sucking punch. In addition to “standard” spyware such as tracking user locations, accessing device microphones and cameras, eavesdropping on calls and text messages, and stealing media files, it also offers the ability to detect every piece of content and data hosted in any of the apps users have installed, including encrypted messaging apps.
“It’s a very sophisticated monitoring tool,” says Hebeisen. “It completely takes control of the operating system and can literally spy on everything. Given how deeply ingrained phones are in our lives these days and especially in all of our private activities, it’s practically a perfect tool. to find out everything a striker ever wanted to know about someone.”
He adds that under the hood, the malware is designed to be nimble and flexible.
“Hermit is built very professionally in that it’s modular,” says Hebeisen. “So we suspect that might actually be part of the business model, where they can sell different levels of this surveillance kit by including or excluding certain modules.”
From a broader perspective, Hermit presents an uncomfortable reality when it comes to next-gen mobile malware: “Although mobile operating systems are much more modern than most desktop systems and they already have many more security controls in place, it is still possible for attackers to circumvent them and then use legitimate operating system features against targets,” Hebeisen says.
Nation-State Spyware: A Growing Threat
It should be noted that companies operating in this gray space, including RCS Labs, NSO Group, Gamma Group, creator of FinFisher, Israeli company Candiru and Russian company Positive Technologies say they only sell to legitimate intelligence and law enforcement agencies. It is, however, a claim that many reject, including the US government, which recently sanctioned several of these organizations for contributing to human rights violations and the targeting of journalists, human rights defenders, dissidents, opposition politicians, business leaders and others.
Nevertheless, Hebeisen notes that there are more and more mobile spyware tools being developed for the burgeoning so-called “lawful interception” market, indicating continued demand. When one is taken down, “there are plenty of other businesses behind the scenes just waiting to pick up the slack,” he says.
The request makes sense geopolitically as nations move away from kinetic conflict.
“Unlike physical weapons, where you have to deal with all sorts of export controls if you want to sell them to regimes known for their human rights abuses, it seems much easier to circumvent that when it’s about surveillance tools, which are basically just a different set of weapons in combat,” says Hebeisen.