Hermit Mobile Malware

The Hermit Malware is a sophisticated and modular mobile threat. It is designed to perform numerous invasive actions on the breached devices, but its main functionality is that of spyware. The threat can fetch different corrupted modules from its Command-and-Control (C2, C&C) server, depending on the specific goals of the attackers. The threat can log calls, record audio from the surrounding environment or directly from a phone call, harvest photos and video, read SMS messages and email, track the infected device's location and more. The Hermit malware can even root Android devices to obtain even broader privileges. The threat is allegedly developed by an Italian software company named RCS Lab.

A blog post by Google's Threat Analysis Group (TAG) revealed details about threatening campaigns targeting users in Italy and Kazakhstan. The cybercriminals would send users a unique link leading to a corrupted application with both Android and iOS users being impacted. The experts believe that in some cases the attackers even worked with the ISP (Internet Service Provider) of the targets to disable their mobile data connectivity. The goal is to then send the victim a corrupted link via an SMS message claiming that users may recover their Internet access if they install the application. Alternatively, cybercriminals could disguise the threatening application as a messaging client.

The iOS version of Hermit abuses a technique known as sideloading. The applications carrying the malware are signed with an enterprise developer certificate, allowing them to satisfy all of the iOS code signing requirements. In addition, six different vulnerabilities, two of which are zero-day ones, are leveraged as part of the infection.