UPDATED 06:01 EST / JUNE 16 2022

SECURITY

Previously unknown form of Android surveillanceware linked to Italian companies

Researchers at cybersecurity company Lookout Inc. today detailed a previously unknown form of enterprise-grade Android surveillanceware that is being used by the government of Kazakhstan.

The surveillanceware, dubbed “Hermit,” is believed to have been developed by Italian spyware vendor RCS Lab S.p.A. and Tykelab Srl. RCS Lab is a developer that is known to have past dealings with Syria and operates in the same market as NSO Group Ltd.

The discovery of Hermit is said to be the first time a current client of RCS Lab’s mobile spyware has been publicly identified.

Hermit is described as modular surveillanceware that hides its malicious capabilities in packages downloaded after it has been deployed. The Lookout researchers obtained and analyzed 16 of the 25 known modules.

The modules, along with the core malware’s permissions, enable Hermit to exploit a rooted device, record audio and make and redirect phone calls, as well as collect data such as call logs, contacts, photos, device location and SMS messages.

The distribution of the malware is not 100% certain, but the researchers speculate that it is distributed via SMS messages pretending to come from a legitimate source. In examples found by the researchers, Hermit impersonated applications from telecommunication companies and smartphone manufacturers.

When clicking on a link, the malware serves up fake pages pretending to be the legitimate sites of the telcos and smartphone makers it impersonates. Those pages immediately start malicious activities in the background.

“This discovery gives us an in-depth look into a spyware vendor’s activities and how sophisticated app-based spyware operates,” said Justin Albrecht, threat intelligence researcher at Lookout. “Based on how customizable Hermit is, including its anti-analysis capabilities and even the way it carefully handles data, it’s clear that this is well-developed tooling designed to provide surveillance capabilities to nation-state customers.”

Albrecht added that researchers confirmed Kazakhstan as a probable current customer of RCS Lab. “It’s not often that you are able to identify a spyware vendor’s clientele,” he said.

Previous countries that are believed to have used RCS Lab solutions include Pakistan, Mongolia, Bangladesh, Chile, Myanmar, Vietnam, Turkmenistan and Syria.

RCS Lab has not commented on the report. According to its website, it has operated since 1993 to provide technological solutions and give technical support to lawful enforcement agencies worldwide. The NSO Group comparison to RCS Lab is apt.

“Spyware is a tool used by many actors worldwide, whether they are criminal organizations, state or state sponsored threat actors, or national security or law enforcement organizations following their own mandates,” Mike Parkin, senior technical engineer at enterprise cyber risk remediation company Vulcan Cyber Ltd., told SiliconANGLE. “Regardless of who is using it, or what agenda they are working towards, these commercial grade spyware tools can seriously threaten people’s personal privacy.”

Photo: Sergio Boscaino/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU