Researchers at cybersecurity company Lookout Inc. today detailed a previously unknown form of enterprise-grade Android surveillanceware that is being used by the government of Kazakhstan.
The surveillanceware, dubbed “Hermit,” is believed to have been developed by Italian spyware vendor RCS Lab S.p.A. and Tykelab Srl. RCS Lab is a developer that is known to have past dealings with Syria and operates in the same market as NSO Group Ltd.
The discovery of Hermit is said to be the first time a current client of RCS Lab’s mobile spyware has been publicly identified.
Hermit is described as modular surveillanceware that hides its malicious capabilities in packages downloaded after it has been deployed. The Lookout researchers obtained and analyzed 16 of the 25 known modules.
The modules, along with the core malware’s permissions, enable Hermit to exploit a rooted device, record audio and make and redirect phone calls, as well as collect data such as call logs, contacts, photos, device location and SMS messages.
The distribution of the malware is not 100% certain, but the researchers speculate that it is distributed via SMS messages pretending to come from a legitimate source. In examples found by the researchers, Hermit impersonated applications from telecommunication companies and smartphone manufacturers.
When clicking on a link, the malware serves up fake pages pretending to be the legitimate sites of the telcos and smartphone makers it impersonates. Those pages immediately start malicious activities in the background.
“This discovery gives us an in-depth look into a spyware vendor’s activities and how sophisticated app-based spyware operates,” said Justin Albrecht, threat intelligence researcher at Lookout. “Based on how customizable Hermit is, including its anti-analysis capabilities and even the way it carefully handles data, it’s clear that this is well-developed tooling designed to provide surveillance capabilities to nation-state customers.”
Albrecht added that researchers confirmed Kazakhstan as a probable current customer of RCS Lab. “It’s not often that you are able to identify a spyware vendor’s clientele,” he said.
Previous countries that are believed to have used RCS Lab solutions include Pakistan, Mongolia, Bangladesh, Chile, Myanmar, Vietnam, Turkmenistan and Syria.
RCS Lab has not commented on the report. According to its website, it has operated since 1993 to provide technological solutions and give technical support to lawful enforcement agencies worldwide. The NSO Group comparison to RCS Lab is apt.
“Spyware is a tool used by many actors worldwide, whether they are criminal organizations, state or state sponsored threat actors, or national security or law enforcement organizations following their own mandates,” Mike Parkin, senior technical engineer at enterprise cyber risk remediation company Vulcan Cyber Ltd., told SiliconANGLE. “Regardless of who is using it, or what agenda they are working towards, these commercial grade spyware tools can seriously threaten people’s personal privacy.”