Home / Advisory / ‘Hermit’ the Spyware on Android Discovered in Targeted Attacks

‘Hermit’ the Spyware on Android Discovered in Targeted Attacks

Posted on
Cyber Secure India
Forget Pegasus, new spyware ‘Hermit’ on Android Discovered in Targeted Attacks..

Even as the allegation being heard by the Hon’ble Supreme Court of India is under way on the Pegasus Case; there is news that a similar form of Spyware is also being sold to Governments for deployment on Android Operating System Smartphone.  A Cyber-security researchers Organisation, namely, Lookout Threat Lab has in its recently report claimed to have unearthed through its research, a new enterprise-grade Android spyware called ‘Hermit’ that is being used by the governments via SMS messages to target high-profile people like business executives, human rights activists, journalists, academics and government officials. The report talks of the ‘surveillanceware’, being used by the Kazakhstan government on its citizens. The government of Kazakhstan earlier this year was threatened by nationwide protests against government policies. The researchers have claimed that the Kazakhstan government had procured the software and had been using them on people to carry out Surveillance and Suppressed the movement in their country.

“Based on our analysis, the spyware, which we named ‘Hermit’ is likely developed by Italian spyware vendor RCS Lab and Tykelab Srl, a telecommunications solutions company we suspect to be operating as a front company,” the researchers said in a blog post.

The Pegasus Spy Software that is sold by NSO of Israel, and is said to be only sold to government Agencies was in the news recently for all the wrong reasons, globally as well s in India. This new ‘Hermit’ is for Android Devices and is sold by RCS Labs, which is an Italian R&D Enterprise. Apart from these, the “FinFisher”, (also known as FinSpy) is also a surveillance software marketed by Lench IT Solutions plc, and developed by Gamma Group (with its presence in Europe), specializing in surveillance and monitoring, including equipment, software, and training services. This piece of software “FinFisher”, is more deterrent and can be used on Android, iOS, macOS, Windows, and Linux users.

The Pegasus Row in India

The Pegasus spyware, which is classified as military-grade software, which is claimed to have been secretly installable on a smartphone (Android or iOS), can turn the device into a fully-fledged surveillance device. SMS messages, emails, WhatsApp messages, iMessages, and more, are all open for reading and copying. It can record incoming and outgoing calls, as well as steal all the photos on the device. It can also activate the microphone and/or the camera and record what is being said. When you combine that with the potential to access past and present location data, it is clear that those listening at the other end know almost everything there is to know about anyone that is targeted. In October 2019 it was report by Amnesty International the use of ‘network injections’ of Pegasus, which enabled the attacker to install the spyware “without requiring any interaction by the target”.

There were large number of petitions filed in the different courts in India on the use of this Spyware (From Pegasus) by Indian Government. Subsequently, India’s Supreme Court, hearing the plea of the complainants, to include activists, journalists and political leaders, appointed a technical committee in Oct 2021. The three-Judge Bench comprising of Chief Justice of India NV Ramana and Justices Surya Kant and Hima Kohli, appointed the oversight committee lead by Justice Raveendran who would oversee the functioning of the technical committee and would be assisted by Alok Joshi, former IPS officer (1976 batch) and Dr. Sundeep Oberoi, Chairman, Sub Committee in (International Organisation of Standardisation/International Electro-Technical Commission/Joint Technical Committee).

The three-member, technical committee comprises of Dr Naveen Kumar Chaudhary, Professor (Cyber Security and Digital Forensics) and Dean, National Forensic Sciences University, Gandhinagar, Dr Prabaharan P., Professor (School of Engineering), Amrita Vishwa Vidyapeetham, Amritapuri, Kerala, and Dr Ashwin Anil Gumaste, Institute Chair, Associate Professor (Computer Science and Engineering), Indian Institute of Technology, Bombay. The Committee was tasked by the Hon’ble Court to investigate and submit a report of the alleged Spy/Snooping and other act, as claimed by the Petitioners. The latest is that, the Pegasus Investigation Committee has been able to examine the 29 mobile devices and the final reporting is underway, the Supreme Court has given more time to the technical committee to finalise and submit its report by 20 June 2022.

Hermit, a Powerful Mobile Spyware

Lookout Threat Lab researchers – who spotted the spyware – surmise that the secretive Italian spyware vendor RCS Lab developed it and has said that the spyware “Hermit” has been previously deployed by Italian authorities in a 2019 as part of anti-corruption operation in Italy. It is also reported, that the spyware also was found in north-eastern Syria, home to the country’s Kurdish majority which is the epicentre of an ongoing ethnic crises, including the Syrian civil war. and now reportedly being used by Kazakhstan government on its citizens.

How Hermit Works: Hermit first gets installed on a targeted device as a framework with minimal surveillance capability. Then it has the capability to be manipulated and inturn download modules from a command-and-control (C2) server thereby activating the spying functionality built into these modules. The software is said to contain 25 such modules. This modular approach masks the malware from automated analysis of the app and makes manual malware analysis significantly harder. In addition, it allows the malicious actor to enable and disable different functionalities in their surveillance campaign or the capabilities of a target device. Hermit can also alter its behaviour as needed to evade analysis tools and processes. It also has the ability to root the phones, by pulling in the files from its command-and-control server needed to break the device’s protections and allow near-unfettered access to a device without user interaction.

As part of the R&D the Lookout team analysed a ‘Hermit’ sample and they used a Kazakh language website as its decoy. And the main C2 server used by the app was just a proxy, with the real C2 being hosted on an IP from Kazakhstan. The combination of the targeting of Kazakh-speaking users and the location of the back-end C2 server, shows that the subject campaign is controlled by an entity in Kazakhstan, said Lookout.

It’s believed the malicious spying or surveillance intended app is distributed by text message spoofed to look like the message is coming from a legitimate source, impersonating apps from telecoms companies and other popular brands, like Samsung and Chinese electronics giant Oppo, which then tricks the victim into downloading the malicious app.


There are large number of Surveillanceware /Spyware Solutions that is available in the market, both to State Machinery and to Non-state buyers, for both Mobile and Non-mobile devices, enabled to perform targeted and generic attacks and also for spying and surveillance. The use of these tool by Government Machinery find its justification, and they claim that this is used on their citizens/foreign nationals, to safe-guard National Security. The “Hermit” is just one among them. Here again, many of these government hacking-for-hire companies, like Israeli firms Candiru and NSO Group, are used by nation states and their authorities to spy on their most vocal critics, including journalists, activists and human rights defenders.

Governments also claim the use of such software for ‘Lawful Interception’ and that the legitimacy is than justified to the judiciary. The Judiciary in India, has always upheld the cause of Privacy and Human Rights, and also ensured safeguard, against vindictive and revengeful measures undertaken by Government of the Day against bonafide citizens.

%d bloggers like this: