Hermit Spyware: Who discovered it and why is it dangerous?

Open Access Government interviews Justin Albrecht, the Threat Intelligence officer who was behind the discovery of Hermit Spyware in Italy and Kazakhstan

Justin Albrecht, a Threat Intelligence officer from Lookout, was behind the recent discovery of the Hermit Spyware which was detected in Italy and Kazakhstan. Here, Albrecht explains the dangers of Hermit Spyware.

What is Hermit Spyware?

Hermit is an advanced spyware designed to target iOS and Android mobile devices

Hermit is an advanced spyware designed to target iOS and Android mobile devices.

It is designed to collect extensive amounts of sensitive data on its victims such as their location, contacts, private messages, photos, call logs, phone conversations, ambient audio recordings, and more.

What was the aim behind Hermit Spyware?

The primary goal of Hermit is to perform espionage against individuals in order to collect intelligence on their activities, social networks, communications, whereabouts and pattern of life.

On paper, Hermit is what’s known as “lawful intercept” tooling and is meant to be used by law enforcement and intelligence agencies in the prevention of crime, and terrorism, and to mitigate risks to national security.

However, similar tools to Hermit, such as Pegasus and Predator, have been abused in the past to spy on activists, journalists, business leaders, opposition politicians and family members of victims in the guise of protecting national security.

How dangerous is it?

A device infected with Hermit is essentially a portable bug which allows Hermit’s operators to track a victim’s location in near real-time, monitor phone calls and conversations occurring in secure chat applications, and listen in on nearby conversations even if the device is not being actively used.

In the wrong hands, it’s an incredibly dangerous tool

In the wrong hands, it’s an incredibly dangerous tool, especially if the malware’s operators have ill intentions towards the victim.

How was it first detected?

Lookout ingests a large number of Android and iOS applications that our research team hunts through in an attempt to find malware and protect our customers from such threats.

Hermit was discovered by one of our researchers in 2021 while hunting through these samples after they noticed a seemingly benign application with suspicious characteristics.

Who is responsible for Hermit Spyware?

We assess that the Italian companies RCS Lab S.p.A. and Tykelab S.R.L. are responsible for the development and deployment of Hermit.

Both companies fall under Aurora S.p.A., an organisation which controls eight separate companies primarily dedicated to providing surveillance technologies and services to government agencies.

Aurora S.p.A. was recently acquired by Elettronica S.p.A., which also owns the Italian surveillance vendor Cy4Gate.

Are governments doing enough to protect people from these kinds of threats?

While “lawful intercept” spyware has appeared in foreign espionage cases, it is much more commonly deployed by law enforcement and secret service agencies against targets in their own country.

As such, the best protection governments can provide against these threats are robust legal and judiciary checks on the powers of these agencies. The strength of these checks varies widely between countries.

In addition, governments – especially those of the countries in which surveillance vendors operate – can impose export controls on surveillance tools akin to those applied to kinetic weapons and exert pressure on vendors to prevent proliferation to countries that are likely to abuse spyware.

Little has been done to protect people worldwide

Apart from the actions taken by the US government against NSO, little has been done to protect people worldwide through such measures.

How common are these types of attacks?

Spyware like Hermit or Pegasus is fairly costly for the agencies using these tools. Hence, attacks are necessarily targeted and usually deployed against high-value targets.

The probability of spyware being discovered also increases with the number of targets it is used against and, depending on the country, there might be a high political cost associated with the discovery and public disclosure of the use of spyware.

While the number of people targeted is low for these reasons, certain groups of people, such as journalists or human-rights activists in certain countries, are at much higher risk.