Here’s how you might get suckered into installing government spyware

Your mobile internet shuts off, you’re told to install an app, and now you’ve got spyware

Governments will spy. The matter of how they do it is up to them. Enter the commercial spyware market where law enforcement agencies have shopped around looking to get around smartphone encryption and incriminate more suspects. People are right to be worried, though, if they expect that their government is looking to crush dissent by maintaining a regime of comprehensive surveillance. This week, research groups have seemed to pick up on a particularly insidious piece of spyware that’s made its way across several countries and can even utilize a sanctioned ISP kill-switch that essentially forces you to install it.


Google’s Threat Analysis Group and Lookout Research (via TechCrunch) have both picked up on this spyware, dubbed “Hermit” and distributed by commercial vendors Tykelabs and RCS Labs out of Italy. Lookout believes that Hermit appeared first in Italy, where the government misused in an anti-corruption campaign last year. Since then, it’s been spotted in Syria where it’s believed that the government of Bashar al-Assad has been deploying it through the guise of a pro-Kurdish rebel news source as a way to infiltrate tribal members in the northeast of the country. Kazakhstan is also believed to have used Hermit to spy on citizens who have been protesting the government’s decision to lift the price cap for liquefied natural gas — the primary fuel in the former Soviet country — which has resulted in soaring costs.

The software is typically delivered by a text message linking to an app the user will need to download and a bit of social engineering. It can also involves network engineering as well.

“In some cases, we believe the actors worked with the target’s ISP to disable the target’s mobile data connectivity,” Google notes. “Once disabled, the attacker would send a malicious link via SMS asking the target to install an application to recover their data connectivity. We believe this is the reason why most of the applications masqueraded as mobile carrier applications.”

Hermit may run on the website in the background or within the app where it’ll retrieve malware modules remotely. The software can use device root exploits to make and redirect calls as well as log audio, call history, contacts, and other information.

Google reports that Hermit app distribution for iOS has been easy for perpetrators as they’re signed with certificates from an existing, Apple-licensed enterprise partner. Apple told TechCrunch it has since revoked accounts associated with the related campaigns. These privileged apps can be sideloaded and do not need to appear in the App Store. One Android app that the Threat Analysis Group picked up on seemed to appear as a Samsung software support app and malware had to be retrieved remotely. Google says it has pulled access to the Firebase servers from which the apps were accessing the modules.

All of it can be pretty scary, but it all comes down to you in terms of what apps you’re installing, where you’re installing them from, and whether you trust the source.

Leave a Comment