Google has warned an unspecified number of Android phone users that they have been infected with a recent spotlighted spyware called Hermit. “We have identified victims in Kazakhstan and Italy”said Google’s Threat Analysis Team (TAG) in a blog post.
Unlike the Pegasus spyware, developed by the NSO Group, which had “zero-click” vulnerabilities on the iPhone (the ability to infect a device without the user doing anything), the compromises that Google observed in Hermit’s case begin with to send a link to the victims.
The latter encourages them to install an application that pretends to be either a tool developed by a telephone operator or a messaging application. In some cases, according to Google, the Hermit user seeking to infect someone takes advantage of a telephone company’s involvement in disabling its target network, and the phishing message invites him to re-establish his connection by going through the infected application.
Lots of potentially stolen information
Whether on iOS or Android, Hermit uses various methods to get the victim to install the app without going through the official stores (App Store and Google Play Store). Once embedded in the telephone system, Hermit can then access a certain amount of personal information. On Android, for example, the application asks for permissions to, among other things, activate the camera and microphone, read SMS, etc.
The new information released by Google comes a week after the publication of the specialized company Lookout of a long report on the Hermit, which is also based on the discovery of infected victims in Kazakhstan, but also in Syria, in the northeastern part of the country . , which is home to especially Kurdish populations.
Google and Lookout believe that this spyware was developed by the Italian company RCS Lab, a company that, like many others, sells surveillance technologies to governments, police and intelligence services. On its website, RCS claims to have subsidiaries in Spain and France. “RCS is Europe’s leader in legal interception services, with more than 10,000 targets processed daily in Europe alone”, the company continues. The fact that Hermit sometimes relies on the involvement of telecommunications operators to infect its targets also confirms the trail of a tool used by state actors.
Former partner in Hacking Team
As Lookout points out, documents released by Wikileaks suggest that in the early 2010s, RCS Lab was a partner in another controversial Italian company called the Hacking Team. The spyware developer, whose emails were hacked and released by an activist in 2015, has, among other things, been accused of selling surveillance technology to authoritarian countries.
In e-mail exchanges dated 2012, for example, we can read discussions between representatives of Hacking Team and RCS, the first company to offer the second to play the role of reseller for a potential customer: a Pakistani information service. In the same exchange, RCS offers to market one of the Hacking Teams tools to a government client in Turkmenistan. “You have the green light to present and promote our solution for the end user in Turkmenistan”wrote, for example, an important leader of the Hacking Team.
In 2016, the specialized site Motherboard grabbed a presentation made by RCS Lab to one of its customers for its own monitoring technology, then called Mito3.
Internet giants like Google and Apple are keeping a close eye on the surveillance industry as these companies are constantly looking for security holes in Android and iOS phones, in order to keep selling surveillance tools to their customers. In May, Google’s Threat Analysis Group claimed to be actively monitoring nearly 30 companies selling spyware technologies.