Security researchers at Lookout recently tied a previously unattributed Android mobile spyware, dubbed Hermit, to Italian software house RCS Lab. Now, Google threat researchers have confirmed much of Lookout’s findings, and are notifying Android users whose devices were compromised by the spyware.
Hermit is a commercial spyware known to be used by governments, with victims in Kazakhstan and Italy, according to Lookout and Google. Lookout says it’s also seen the spyware deployed in northern Syria. The spyware uses various modules, which it downloads from its command and control servers as they are needed, to collect call logs, record ambient audio, redirect phone calls and collect photos, messages, emails, and the device’s precise location from a victim’s device. Lookout said in its analysis that Hermit, which works on all Android versions, also tries to root an infected Android device, granting the spyware even deeper access to the victim’s data.
Lookout said that targeted victims are sent a malicious link by text message and tricked into downloading and installing the malicious app — which masquerades as a legitimate branded telco or messaging app — from outside of the app store.