Experts link Hermit spyware to Italian surveillance firm RCS Lab and a front company

Pierluigi Paganini June 17, 2022

Experts uncovered an enterprise-grade surveillance malware dubbed Hermit used to target individuals in Kazakhstan, Syria, and Italy since 2019.

Lookout Threat Lab researchers uncovered enterprise-grade Android surveillance spyware, named Hermit, used by the government of Kazakhstan to track individuals within the country.

Hermit spyware

The latest samples of this spyware were detected by the researchers in April 2022, four months after a series of nation-wide protests against government policies that were violently suppressed.

According to Lookout, the Hermit spyware was likely developed by Italian surveillance vendor RCS Lab S.p.A and Tykelab Srl, the latter is a telecommunications solutions company suspected to be operating as a front company.

The researchers reported that they observed the use of the Hermit spyware in other circumstance. In 2019, the spyware was used by the Italian authorities in an anti-corruption operation, experts also uncovered an unknown actor that used the surveillance software in northeastern Syria. 

RCS Lab, a well known “lawful intercept” company that officially only sells its products to law enforcement and intelligence agencies.

Hermit is a sophisticated threat with a modular structure, it allows operators to take full control over the infected devices.

“We obtained and analyzed 16 of the 25 known modules, each with unique capabilities. These modules, along with the permissions the core apps have, enable Hermit to exploit a rooted device, record audio and make and redirect phone calls, as well as collect data such as call logs, contacts, photos, device location and SMS messages.” reads the analysis published by Lookout.

“We theorize that the spyware is distributed via SMS messages pretending to come from a legitimate source. The malware samples analyzed impersonated the applications of telecommunications companies or smartphone manufacturers. Hermit tricks users by serving up the legitimate webpages of the brands it impersonates as it kickstarts malicious activities in the background.”

The experts also added that all the samples they analyzed are Android versions of the spyware, however, they are aware of an iOS version of spyware.

The malware is likely distributed via SMS messages that trick victims into installing apps masquerading as Samsung, Vivo, and Oppo apps. Upon opening the apps, the website of the impersonated company is opened, while the infection process starts in the background.

The report published by Lookout states that RCS Lab also has past dealings with the Syrian authoritarian regime, as part of its collaboration with Berlin-based Advanced German Technology (AGT) to sell surveillance solutions.

According to leaked documents published in WikiLeaks in 2015, RCS Lab was a reseller of the notorious Italian surveillance firm HackingTeam. RCS Lab was providing its software to military and intelligence agencies in Pakistan, Chile, Mongolia, Bangladesh, Vietnam, Myanmar and Turkmenistan.

“According to its own website, Tykelab provides innocuous technology solutions. However, we found various publicly-available clues that suggest otherwise. In addition to the Italian parliamentary document, we found several pieces of evidence tying Tykelab to RCS Lab.” continues the report. “For example, a current Tykelab employee’s LinkedIn profile indicates that they also work at RCS Lab. In addition, the company offers services that require skills that may be useful in the development and delivery of surveillanceware, such as knowledge or interaction with telecommunications networks, social media analysis, SMS services and mobile app development. One of the Tykelab job postings for a security engineer we found spells out desired skills that would have direct application to surveillance of mobile networks and devices.”

The researchers also provided further evidence that links Tykelab to Hermit and RCS, they also published Indicators of Compromise for this threat.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Hermit spyware)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment