Google has alerted an unspecified number of Android phone users that they have been infected with a recently spotlighted spyware named Hermit. “We have identified victims in Kazakhstan and Italy,” Google’s Threat Analysis Team (TAG) said in a blog post.

Unlike Pegasus spyware, developed by NSO Group, which had “zero click” vulnerabilities on iPhone (the ability to infect a device without the user doing anything), the compromises observed by Google in Hermit’s case begins by sending a link to the victims.

The latter invites them to install an application pretending to be either a tool developed by a telephone operator or a messaging application. In some cases, according to Google, the Hermit user seeking to infect someone benefits from the complicity of a telephone company to disable the network of his target, and the phishing message invites him to reestablish his connection by passing through the infected application.

Lots of potentially stolen information

Whether on iOS or Android, Hermit uses different methods to make the victim install the application without going through the official stores (App Store and Google Play Store). Once nested in the phone system, Hermit can then access a certain amount of personal information. On Android, for example, the application asks for permissions to activate the camera and microphone, read SMS, etc., among other things.

The new information published by Google comes a week after the publication by the specialized company Lookout of a long report on Hermit, which is also based on the discovery of infected victims in Kazakhstan, but also in the northeast of the Syria, where Kurdish populations live.

Google and Lookout believe that this spyware is developed by the Italian company RCS Lab, a company which, like many others, sells surveillance technologies to governments, police and intelligence services. On its site, RCS claims to have subsidiaries in Spain and France. “RCS is the European leader in lawful interception services, with more than 10,000 targets processed daily in Europe alone,” the company continues. The fact that Hermit sometimes relies on the complicity of telecommunications operators to infect its targets also corroborates the trail of a tool used by state actors.

Former partner of Hacking Team

As Lookout points out, documents released by WikiLeaks suggest that RCS Lab was, in the early 2010s, a partner of another controversial Italian company called Hacking Team. This spyware developer, whose emails were hacked and released by an activist in 2015, was notably accused of selling surveillance technologies to authoritarian countries.

In email exchanges dated 2012, for example, one can read discussions between representatives of Hacking Team and RCS, the first company offering the second to act as a reseller for a potential customer: an information service Pakistani. In this same exchange, RCS offers to market one of the Hacking Team tools to a government client in Turkmenistan. “You have the green light to present and promote our solution to the end user in Turkmenistan,” wrote a senior Hacking Team executive, for example.

In 2016, the specialized site Motherboard got hold of a presentation made by RCS Lab to one of its customers for its own surveillance technology, at the time called Mito3.

Net giants like Google and Apple are watching the surveillance industry closely, as these companies are constantly looking for security holes in Android and iOS phones, in order to keep selling surveillance tools to their customers. In May, Google’s Threat Analysis Group claimed to actively monitor nearly 30 companies selling spying technology.