Google warns Android users that 'Hermit' spyware spreads with help from ISPs

Android logo on a phone with a padlock in the background
(Image credit: Jay Bonggolto / Android Central)

What you need to know

  • Google's security researchers have said that some internet service providers have helped attackers spread a spyware campaign.
  • The "Hermit" spyware has targeted Android and iOS users in Italy and Kazakhstan through malicious downloads.
  • Google insists the spyware was never uploaded to the Play Store.

A few weeks ago, end-point security vendor Lookout published its findings about a spyware campaign allegedly used by governments to steal sensitive data from users in Kazakhstan and Italy. Google has now backed up that report and issued a warning to Android users about the "Hermit" spyware.

According to Google's Threat Analysis Group (TAG), governments collaborated with internet service providers (ISPs) in various countries to spread the spyware. The malware is thought to be capable of infecting both Android and iOS devices. 

Hermit is designed to lure unsuspecting users into downloading malicious apps. This occurs after ISPs, in collusion with the attackers, turn off the victims' data connection and then send them an SMS claiming that their connection will only be restored if they download an app.

If this tactic fails, the attackers will disguise the spyware as a legitimate service, such as a mobile carrier or messaging app. Once installed in a mobile device, Hermit will then download modules from a command and control server to gain additional capabilities.

This enables Hermit to access the users' call logs, location, photos, and text messages. The spyware also has the ability to record audio, redirect phone calls, and root an Android device to give attackers complete control. 

Lookout linked the threat to Italian software vendor RCS Labs. That said, the firm claims it only provides technical support to government agencies in lawful interception efforts, according to its website.

However, Lookout describes the Italy-based software firm as similar to NSO Group, which is known for its Pegasus spyware. That program may sound familiar, as it has been used to spy on activists, journalists, and politicians via remote zero-click smartphone surveillance.

RCS Labs did not immediately respond to Android Central's request for comment. But it told TechCrunch that its products comply with "both national and European rules and regulations."

"Any sales or implementation of products is performed only after receiving an official authorization from the competent authorities," the firm said. "Our products are delivered and installed within the premises of approved customers."

Researchers at Lookout have identified victims in Italy, Kazakhstan, and northern Syria. Google, for its part, has promised to notify users in these countries, though it did not specify how many people were affected.

Both Lookout and Google's TAG insist that apps infected with Hermit never made it to the Google Play or Apple App Store. The search giant has also released a new Google Play Protect update to beef up security for all Android phones.

Jay Bonggolto
News Writer & Reviewer

Jay Bonggolto always keeps a nose for news. He has been writing about consumer tech and apps for as long as he can remember, and he has used a variety of Android phones since falling in love with Jelly Bean. Send him a direct message via Twitter or LinkedIn.