Security experts from Lookout disclosed new information regarding Android spyware used in targeted assaults by national governments in Kazakhstan, Syria, and Italy.

The software, dubbed Hermit by security company Lookout, was initially discovered in Kazakhstan in April, only months after the authorities quelled anti-government rallies. According to Lookout, a Kazakh government body most likely orchestrated the use of Hermit. The software has also been used by Syrian authorities in the northeastern Kurdish region and by Italian officials in an anti-corruption operation.

What can Hermit do?

Lookout obtained a sample of the Hermit Android virus. It’s modular, allowing the virus to download more components as needed. Like other spyware, Hermit collects call logs, records audio, redirects phone calls and collects images, messages, emails, and a device’s location.

According to Lookout, the malware may root phones by downloading the data needed to bypass the device’s defences and get near-unrestricted access to the device without requiring user engagement. Hermit runs on all Android versions.

How it gets in

Hermit periodically checks the app’s Android version to adjust its functionality to the operating system version. This distinguishes it from other app-based malware.

The malicious Android app is thought to be distributed via text message spoofing that appears to come from a legitimate source, impersonating apps from telecom companies and other well-known brands such as Samsung and Chinese electronics giant Oppo, and then tricking the victim into downloading the malicious app.

Lookout found evidence of a Hermit-infected iOS app that, like other spyware, leverages Apple corporate developer credentials to sideload its harmful program from outside the app store – the same practice that got Facebook and Google in trouble for circumventing Apple’s app store restrictions. Lookout reports it was unable to collect a sample of the iOS spyware.

Tip: ‘The developer of Pegasus is keeping its owners in the dark’