Android Spyware 'Hermit' Discovered in Targeted Attacks

Researchers have discovered an enterprise-grade Android family of modular spyware dubbed Hermit conducting surveillance on citizens of Kazakhstan by their government.

Lookout Threat Lab researchers - who spotted the spyware - surmise that the secretive Italian spyware vendor RCS Lab developed it and say Hermit was previously deployed by Italian authorities in a 2019 anti-corruption operation in Italy. The spyware also was found in northeastern Syria, home to the country's Kurdish majority and a site of ongoing crises, including the Syrian civil war.

Android devices have been abused with spyware in the past; Sophos researchers uncovered new variants of Android spyware linked to a Middle Eastern APT group back in November 2021. More recent analysis from Google TAG indicates at least eight governments from across the globe are buying Android zero-day exploits for covert surveillance purposes.

Mike Parkin, senior technical engineer at Vulcan Cyber, says spyware is a tool used by many actors worldwide, including criminal organizations, state or state-sponsored threat actors, national security, and law-enforcement organizations following their own mandates.

"Regardless of who is using it or what agenda they are working toward, these commercial- grade spyware tools can seriously threaten people's personal privacy," he says.

The highest profile spyware case in recent memory was the discovery of Pegasus, a legal surveillance software developed by Israeli company NSO Group. The news caused an international furor after it was found covertly installed on iOS and Android mobile phones belonging to human rights activists, journalists, and high-ranking members of governments.

How Hermit Works

Hermit first gets installed on a targeted device as a framework with minimal surveillance capability. Then it can download modules from a command-and-control (C2) server as instructed and activate the spying functionality built into these modules.

This modular approach masks the malware from automated analysis of the app and makes manual malware analysis significantly harder. In addition, it allows the malicious actor to enable and disable different functionalities in their surveillance campaign or the capabilities of a target device. Hermit can also alter its behavior as needed to evade analysis tools and processes.

"The modular design might also be part of the business model of the software vendor, allowing them to sell individual spying features as value-add line items," explains Paul Shunk, security researcher at Lookout, which published a report on Hermit today.

Shunk says the overall design and code quality of the malware stands out compared with many other samples he has seen. 

"It was clear this was professionally developed by creators with an understanding of software engineering best practices," he says. "Beyond that, it is not very often we come across malware [that] assumes it will be able to successfully exploit a device and make use of elevated root permissions."

The discovery of Hermit adds another puzzle piece to the picture of the secretive market for "lawful intercept" surveillance tools, he says.

"As in the cases of NSO, Cytrox, and other vendors, discovery of their customers usually exposes their claim that their product is only used for legitimate purposes as at least partially untrue," Shunk says.

One of the Hermit samples Lookout analyzed used a Kazakh language website as its decoy.

And the main C2 server used by the app was just a proxy, with the real C2 being hosted on an IP from Kazakhstan. 

"The combination of the targeting of Kazakh-speaking users and the location of the back-end C2 server is a strong indication that the campaign is controlled by an entity in Kazakhstan," Shunk says.

Lookout says an Apple iOS version of the spyware exists as well, but the research team was unable to obtain a sample to analyze.

'MaliBot' Targets Online Banking

Meanwhile, another Android-based malware family reared its head this week in the form of Malibot, which is targeting online banking customers in Spain and Italy with the capability to steal credentials and crypto wallets. The malware was discovered by F5 Labs while the security company was tracking the mobile banking Trojan FluBot.

The malware consists of two campaigns: Mining X, which presents a QR code that leads to the malware Android Package Kit, and TheCryptoApp, which attempts to dupe users into downloading a fake version of the popular cryptocurrency tracker app available on the Google Play Store. 

It's also able to steal or bypass multifactor authentication codes and trick victims into downloading the malware either via a direct SMS phishing message or via fake websites they're lured to.

"This is certainly one to pay attention to and F5 expects to see a broader range of targets as time goes on, especially given the versatility of the malware could, in principle, be used for a wider range of attacks than stealing credentials and cryptocurrency," F5 warns in a blog post.