Google warns of Italian spyware Hermit targeting iOS and Android devices

24 Jun 2022

Image: © Rokas/

Google said attackers worked with the ISPs of victims in some cases to disable their mobile data, before sending an SMS with a malicious link under the pretence of restoring connectivity.

Researchers at Google have warned of a commercial spyware linked to an Italian vendor that is targeting iOS and Android devices – and dubbed Hermit by security firm Lookout.

Google has linked the spyware to Milan-based RCS Labs and said victims have been identified in Italy and Kazakhstan. Last week, researchers at Lookout published findings on the Android version of the spyware and said they also detected its use in Syria.

Lookout said the latest samples of the Hermit spyware were detected in April, four months after nationwide protests against government policies in Kazakhstan were “violently suppressed”.

According to Lookout and Google, the Hermit spyware hides its malicious capabilities in packages downloaded after it’s deployed. The spyware can record audio, make and redirect phone calls and collect data such as call logs, contacts, photos, device location and SMS messages.

Confirming Lookout’s findings, researchers from Google’s Threat Analysis Group (TAG) said they detected victims of the spyware in Italy and Kazakhstan on both Android and iOS devices.

They also found evidence that the spyware actors worked with the internet service providers (ISPs) of victims to disable mobile data connectivity. The attacker would then send a malicious link through SMS, asking the target to install an application to recover their data connectivity.

“We believe this is the reason why most of the applications masqueraded as mobile carrier applications,” Google’s TAG researchers said in a report. “When ISP involvement is not possible, applications are masqueraded as messaging applications.”

Commercial spyware

Google said that the commercial spyware industry is “thriving” – a trend that should be concerning to internet users.

“These vendors are enabling the proliferation of dangerous hacking tools and arming governments that would not be able to develop these capabilities in-house.”

RCS Labs has been operating since 1993 and claims to have clients in law enforcement agencies worldwide. RCS Labs told Reuters that its products and services comply with European rules and help law enforcement agencies to investigate crimes. It added that it condemned any abuse of its products.

“RCS Lab personnel are not exposed, nor participate in any activities conducted by the relevant customers,” RCS Labs told Reuters in an email.

Google said it has notified the Android users of devices infected with Hermit spyware and implemented changes in Google Play to protect users. In a statement to Wired, Apple said that it has revoked all known accounts and certificates associated with the spyware campaign.

Lookout noted that RCS Labs operates in the same market as NSO Group, the Israeli company behind the military-grade spyware Pegasus. This company made headlines last year when an investigation claimed the Pegasus spyware was abused and used to target journalists, activists and government officials.

In February, the EU’s data protection watchdog called for a ban on the use of Pegasus spyware, following the revelations of its potential impact on privacy rights.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic