Hermit Spyware – Mobile (Android, iOS)
Hermit: State-Backed Mobile Spyware Used in Targeted Surveillance Campaigns
Hermit is a modular spyware toolkit for Android and iOS, designed to enable state-level actors to surveil targets with full access to their mobile devices. It allows attackers to read messages, listen to calls, access files, and control hardware like the microphone and camera. Discovered in active use in multiple countries, Hermit is developed by Italian spyware vendor RCS Lab, which markets surveillance capabilities to government clients.
Introduction to Hermit
Hermit typically infects smartphones through SMS phishing, fake app downloads, or zero-day exploit delivery, often requiring the victim to install an app that masquerades as a legitimate service (e.g., telecom provider support). Once installed, it connects to attacker-controlled servers to download additional spyware modules and begins harvesting data in real time. Its use has been documented in politically sensitive regions, where it has reportedly been deployed against dissidents, journalists, and human rights defenders.
1. How Hermit Works
Infection Mechanism:
Hermit is deployed via:
- Phishing SMS messages that trick users into installing a fake app
- Man-in-the-middle (MITM) attacks by ISPs that redirect app downloads
- Exploits, including zero-days targeting both Android and iOS
- Delivery via side-loaded apps, requiring installation from unknown sources
The attacker often impersonates a trusted brand, like a mobile carrier, to increase success.
Payload Execution:
Once the Hermit app is installed:
- It requests or silently gains extensive permissions (camera, microphone, storage, etc.)
- Connects to a command-and-control (C2) server to receive modular payloads
- Begins recording audio, collecting messages, contact lists, and location data
- Can access end-to-end encrypted apps by abusing accessibility services or capturing data before encryption
- Remains hidden using obfuscation and dynamic payload loading
2. History and Notable Campaigns
Origin and Discovery:
Hermit was publicly analyzed in 2022 by Lookout and Google’s Threat Analysis Group (TAG). It was traced back to RCS Lab, a surveillance vendor headquartered in Italy with ties to telecom-focused spyware development.
Notable Campaigns:
- Hermit campaigns were uncovered in Kazakhstan, Syria, and Italy, targeting civil society and political figures
- In some cases, local ISPs were suspected of cooperating, redirecting users to fake download pages
- Hermit was observed delivering modular spyware payloads, making analysis more difficult and infection stealthier
- Google confirmed that iOS zero-day exploits were used in Hermit operations against selected victims
3. Targets and Impact
Targeted Victims and Sectors:
Hermit targets individuals in:
- Journalism and media
- Politics and civil society organizations
- Activist networks and human rights advocacy groups
- Victims are often selected in state-sponsored surveillance operations
Consequences:
- Complete loss of mobile privacy
- Compromised communications, including voice, video, and encrypted messages
- Potential exposure of whistleblowers, sources, or sensitive contacts
- Broader impact on press freedom, civil liberties, and human rights
4. Technical Details
Payload Capabilities:
- Accesses SMS, email, calls, and messaging apps
- Records audio using the device’s microphone
- Activates camera and captures media
- Collects GPS and network location data
- Retrieves files, contacts, and system logs
- Modular architecture enables attackers to download specific surveillance features as needed
Evasion Techniques:
- Delivered via side-loaded apps that bypass official app stores
- Uses legitimate-looking permissions and obfuscated code
- Payloads are dynamically downloaded, reducing initial footprint
- Disguises spyware components as system or service apps
- Can detect jailbroken/rooted environments and adjust behavior
5. Preventing Hermit Infections
Best Practices:
- Avoid installing apps from unknown sources or unofficial links
- Be wary of SMS messages urging app downloads or support interactions
- Keep mobile OS and apps fully updated to patch known vulnerabilities
- Use security-focused mobile browsers and VPNs to avoid MITM interception
- Monitor for sudden requests for excessive permissions
Recommended Security Tools:
- Google Play Protect (Android)
- iOS Lockdown Mode (for high-risk users)
- Mobile security apps like Lookout, Zimperium, or Kaspersky Mobile Security
- Access Now’s Helpline or Amnesty International’s Mobile Security Tools for civil society
6. Detecting and Removing Hermit
Indicators of Compromise (IoCs):
- Presence of unexpected apps not installed via Play Store or App Store
- Battery drain and performance issues from background surveillance activity
- Sudden permission escalations (microphone, camera, contacts)
- Connections to suspicious domains or IPs
- Forensics may reveal Hermit’s C2 domains or downloaded modules
Removal Steps:
- Factory reset the device to eliminate persistent spyware
- Change all credentials, especially for messaging, email, and cloud services
- Avoid restoring from backups that may include the infected app
- Monitor for ongoing suspicious behavior and verify SIM/network configuration
- Seek help from cybersecurity professionals or civil society digital safety organizations
Professional Help:
For journalists, activists, or political figures, contact Access Now, Citizen Lab, or Amnesty International for forensic assistance and safe device handling.
7. Response to a Hermit Infection
Immediate Steps:
- Stop using the compromised device immediately
- Notify trusted contacts of potential surveillance
- Use a secondary, clean device for communication
- Secure sensitive accounts with 2FA and password changes
- Report the incident to relevant digital rights organizations
8. Legal and Ethical Implications
Legal Considerations:
Hermit has been tied to state-sponsored surveillance, raising serious questions around legal export controls, international human rights laws, and violations of privacy regulations. The vendor, RCS Lab, has faced investigations in Europe for misuse of its spyware platform.
Ethical Considerations:
Hermit’s deployment illustrates how commercial spyware can be misused for political repression. It raises deep ethical concerns about the sale of surveillance technology to repressive regimes, often with little oversight or accountability.
9. Resources and References
- Google TAG: Hermit Spyware Analysis
- Lookout Threat Intelligence Report: Lookout Uncovers Hermit Spyware Deployed in Kazakhstan
- Citizen Lab Tech Resources
- Amnesty Tech Resources
- MITRE ATT&CK for Mobile:
10. FAQs about Hermit
Q: What is Hermit spyware?
A commercial surveillance tool targeting Android and iOS devices, designed to steal data and control device functions remotely.
Q: Who uses Hermit?
Primarily state actors and government agencies, often in politically sensitive or authoritarian environments.
Q: How does Hermit spread?
Through phishing SMS, fake apps, and sometimes exploits delivered via malicious links or MITM attacks.
Q: Can it be removed?
Yes — but only through a factory reset and full reconfiguration. For high-risk cases, forensic help is recommended.
11. Conclusion
Hermit represents the growing threat of commercial spyware targeting mobile users worldwide. While advertised as a lawful surveillance tool, its real-world use shows how quickly these platforms can be turned against civil society. Protecting against threats like Hermit requires tech safeguards, strong policies, and global accountability for spyware vendors and their clients.
« Back to the Virus Information Library