Follow Us:
Tuesday, August 16, 2022

Explained: What is Hermit, the Pegasus-like spyware that targeted Android, iOS devices?

Hermit, a sophisticated spyware, is believed to have targeted iPhone and Android devices in Italy and Kazakhstan. How is it deployed on a device, and what exactly does it do? How did it get past both Apple and Google's security measures?

Written by Shruti Dhapola , Edited by Explained Desk | New Delhi |
Updated: June 29, 2022 6:32:23 am
Hermit is a spyware on the lines of Pegasus by NSO Group. (Image Source: Pixabay)

‘Hermit’ is the latest sophisticated spyware in the news, and it is believed to have targeted iPhones and Android devices in Italy and Kazakhstan. Hermit’s deployment – the spyware has been developed by an Italian vendor called RCS Lab – was first reported by cyber security researchers at the Lookout, a San-Francisco-based cybersecurity firm. Then Google’s Threat Analysis Group (TAG) put out a detailed blog post last week, explaining how they believed Hermit was used to target devices.

What is Hermit and what exactly does it do on a device?

Hermit is a spyware on the lines of Pegasus by NSO Group. Once installed on a device, it can record audio on the device, carry out unauthorised calls, and carry out many unauthorised activities. According to Lookout, the spyware can steal stored account emails, contacts, browser bookmarks/searches, calendar events, etc. It can also take pictures on the device, steal device information such as details about applications, the kernel information, model, manufacturer, OS, security patch, phone number, etc. It can also download and install APK (the app software files on Android) on a compromised phone.

The spyware can also upload files from the device, read notifications, and take pictures of the screen. Because it can gain access to the root or the ‘privilege’ access of an Android system, Lookout’s research showed, it can uninstall apps like Telegram and WhatsApp. According to the researchers, the spyware can silently uninstall/reinstall Telegram. Except the reinstalled version is likely a compromised one. It can also steal data from the old app. For WhatsApp, it can prompt the user to reinstall WhatsApp via Play Store.

So, once Hermit has been deployed to a phone, it can control and track data from all key applications.

Subscriber Only Stories
The rise of the worker productivity scorePremium
Delhi Confidential: Tiranga selfies campaign a big hit on Independence DayPremium
Bihar berozgari refrain makes way into CM’s job promisePremium
Collegium led by CJI Ramana cleared over 250 for HCs; vacancies now lowes...Premium

How did Hermit get deployed on Android and iOS devices?

Sophisticated spyware such as Hermit and Pegasus cost millions of dollars in licensing fees, and these are not simple operations. It’s not like common malware targeting regular users. And in the case of Hermit, it appears the operations used were complex. According to Google’s TAG team, all campaigns started with a unique link sent to the victim’s phone. When the user clicked, the page installed the application on both Android and iOS.

But how did they get past both Apple and Google’s security measures?

According to Google, they believed the actors targeting the victims had to work with the target’s ‘Internet Service Provider’ or ISP. Google notes, “We believe the actors worked with the target’s ISP to disable the target’s mobile data connectivity. Once disabled, the attacker would send a malicious link via SMS asking the target to install an application to recover their data connectivity. We believe this is the reason why most applications masquerade as mobile carrier applications.”

When ISP involvement was not possible, the spyware would pretend to be a messaging app. According to Google’s screenshot example, the link would pretend to be a recovery page for a Facebook account and ask users to download a version of either WhatsApp, Instagram or Facebook. This is when the device was an Android. These were obviously compromised versions of these messaging apps.


According to Lookout, some attacks in Kazakhstan masqueraded as pages for Oppo, Samsung and Vivo — all well-known phone brands. Further, their research shows that RCS Lab also worked with Tykelab Srl, a telecommunications solutions company. Lookout believe that this is likely a “front company” for RCS Lab, and their blogpost claims to show several links between these two.

In Apple’s case, Google’s research showed that the spyware exploited Apple’s enterprise certificate, which is given to apps by select enterprises. This certification allows companies to distribute their own in-house apps for direct downloads on iOS devices, bypassing the App Store. The ‘Hermit spyware’ apps had managed to get these certifications — which have since been revoked by Apple.

Google said that a company named 3-1 Mobile SRL had the necessary certificate, as it was enrolled in the Apple Developer Enterprise Program. Google also stressed they “do not believe the apps were ever available on the App Store.” These apps once installed exploited several known flaws and other zero-day exploits to gain more access and carry out surveillance. According to a new report by 9to5Mac, Apple has now revoked the certificates for these compromised apps.


What next? How can users keep themselves safe?

As noted, Hermit is not a common spyware. Lookout’s analysis shows that in Kazakhstan, “an entity of the national government is likely behind the campaign.” Google also noted that it had identified and alerted all Android victims in Italy and Kazakhstan. It also said it had implemented changes in Google Play Protect and disabled all Firebase projects used to command and control the campaign.

Lookout also states they’ve seen this deployed in Syria. In Italy, documents showed it had been misused in an anti-corruption operation. “The document mentioned an iOS version of Hermit and linked RCS Lab and Tykelab to the malware, which corroborates our analysis,” notes the blog.

According to them, “mobile devices are the perfect target for surveillance.” While not all of us will be targeted, users should continue to follow basic tips. This includes regularly updating your phones, as each update includes a patch for previously known or unknown vulnerabilities. Once again, users should avoid clicking on unknown links, even if done out of curiosity. It is also recommended that users periodically review apps on their device to keep track of whether something unknown was added.

Newsletter | Click to get the day’s best explainers in your inbox

Google’s blog post also offers strong condemnation of surveillance tools being used by the state, and notes that in many instances, these are being “used by governments for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers and opposition party politicians”.


Meanwhile, RCS Labs has denied any wrongdoing, saying its products and services comply with European rules and help law enforcement investigate crimes, as per a Reuters’s report.

📣 Join our Telegram channel (The Indian Express) for the latest news and updates

For all the latest Explained News, download Indian Express App.

  • Newsguard
  • The Indian Express website has been rated GREEN for its credibility and trustworthiness by Newsguard, a global service that rates news sources for their journalistic standards.
  • Newsguard
First published on: 28-06-2022 at 02:13:10 pm
0 Comment(s) *
* The moderation of comments is automated and not cleared manually by

Featured Stories